metamorpherrat | b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133

General

Target

b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Size

78KB
MD5

91656cb5b2816cd2afe2cc0a490c9710
SHA1

90f77ce4c34efb01b667c63d392a39dbfc1f890a
SHA256

b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133
SHA512

80554738bd4261e399a60c48df232c1ffe6b9e5e7fb52674c68c5b8c112f209bef77e7ce7a4383cfb8dda5a531b24389f000c8cf42ac920b1d240a6961e63000
SSDEEP

1536:9V58mVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC6u9/T1d/:9V58m/vqyA11XYUBxprBPjc29/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2464	tmp5EC3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2464	tmp5EC3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp5EC3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5EC3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Token: SeDebugPrivilege	2464	tmp5EC3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1508	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	29
PID 2052 wrote to memory of 1508	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	29
PID 2052 wrote to memory of 1508	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	29
PID 2052 wrote to memory of 1508	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	29
PID 1508 wrote to memory of 2892	1508	vbc.exe	31
PID 1508 wrote to memory of 2892	1508	vbc.exe	31
PID 1508 wrote to memory of 2892	1508	vbc.exe	31
PID 1508 wrote to memory of 2892	1508	vbc.exe	31
PID 2052 wrote to memory of 2464	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	32
PID 2052 wrote to memory of 2464	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	32
PID 2052 wrote to memory of 2464	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	32
PID 2052 wrote to memory of 2464	2052	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	32

C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
"C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\88uehdji.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES621E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc621D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\Users\Admin\AppData\Local\Temp\tmp5EC3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5EC3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88uehdji.0.vb

Filesize
14KB

MD5
9c0a09606fcfafeafb1abee35c7ab7d0

SHA1
d98f44cc448295fe9a0d459f620658f3ebb7996e

SHA256
340b9989cb93dda103bd42c5853035605ecac66ffeb1a4e03001551fa4b8cbd3

SHA512
e15b5d5aa6068d778152d8bd55e2d785d13d0c7b7ffe23acf5608150afea4dec60bd9827c13fcbe0fa989f1df65685558b3916b342c3a95884deee9ed3cd3bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\88uehdji.cmdline

Filesize
266B

MD5
21102cb336c59e325ff4599eba505c87

SHA1
61e4552ce1bd1272e853a79b9555117d3894f838

SHA256
5e8ebe093e56f2b35479dee654ff7b1d9512739f83e5f80162b514d1d9bf9f15

SHA512
4603ecae3eb5d42cc3428f0271417db968459e85efbaa28f30448714d446aa3e1dcb2eff1ab4889ea271a437d9a4c1dd9814255bdfe54ca7ee67d6aa1b9f68bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES621E.tmp

Filesize
1KB

MD5
2007b48d371bc35967d007abbb0628ad

SHA1
eda7cb53213a50b0a36b77d261a9e3a34c64b9d0

SHA256
a95d641a67dfd17b7b25eab6d992ce581e62c550315e24b04b21840753ae922a

SHA512
891b72f8ddc2f06f82425a4e1aafdd7d78b9940d4fe9d2ddaf0b110332bbcfe13332aec939570543794190d17db4560e351c2e232d0cc2b964695747add49d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EC3.tmp.exe

Filesize
78KB

MD5
71fe5dd167aa7348f9bc39f928a150aa

SHA1
24b82e917b51e5cd8cb18778c3ae45ad142c390f

SHA256
6013af5546997b0eec5c538e5c6bd317d8c764c206cc57f98052df65fae6ddca

SHA512
2ceea21d13bb6ce84e3125b0c7177b945109c6943bf0a4e57ff10c60f04f245432d2881f68b0bdb6bad3b6b085039bfd356fbcfd1a1b8c9a1bf6fff06f0049f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc621D.tmp

Filesize
660B

MD5
ff767c6ab3d062bbbc864fabf843e573

SHA1
ec8197d85c1c60bb25014e9d63e6182995f0970a

SHA256
a4e342605a507f763ff70fac2cfc77763aff586d61f07154972b8e30b45649ef

SHA512
79d81a2c555cd2361118406e66b1dc5757b771a3c73a27e48966f6e7198f47cc3437d44b96c7a14e417c220054b2b10a982a31713a01f704b8655df353833bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/1508-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/2052-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-24-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads