metamorpherrat | b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133

General

Target

b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Size

78KB
MD5

91656cb5b2816cd2afe2cc0a490c9710
SHA1

90f77ce4c34efb01b667c63d392a39dbfc1f890a
SHA256

b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133
SHA512

80554738bd4261e399a60c48df232c1ffe6b9e5e7fb52674c68c5b8c112f209bef77e7ce7a4383cfb8dda5a531b24389f000c8cf42ac920b1d240a6961e63000
SSDEEP

1536:9V58mVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC6u9/T1d/:9V58m/vqyA11XYUBxprBPjc29/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe

Deletes itself 1 IoCs

pid	Process
2916	tmp81F1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	tmp81F1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp81F1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp81F1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Token: SeDebugPrivilege	2916	tmp81F1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4844	2856	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	84
PID 2856 wrote to memory of 4844	2856	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	84
PID 2856 wrote to memory of 4844	2856	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	84
PID 4844 wrote to memory of 3524	4844	vbc.exe	86
PID 4844 wrote to memory of 3524	4844	vbc.exe	86
PID 4844 wrote to memory of 3524	4844	vbc.exe	86
PID 2856 wrote to memory of 2916	2856	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	88
PID 2856 wrote to memory of 2916	2856	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	88
PID 2856 wrote to memory of 2916	2856	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	88

C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
"C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u0dlwivi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED07CC5ABF384C21ACBC2F91E89E4CB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3524
- C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES83F5.tmp

Filesize
1KB

MD5
a8936c59ddab5a600de7731b7fe6fca6

SHA1
7fccfb6cab7d22532f89c74c11d63c4004c26e9d

SHA256
29251278ce6dab6f07b5ceba0e35d43afd779c23398545d01481613b5ab83ec1

SHA512
7677e93d706b9613b31c5933fb95ed94490fe4fad64ddbad2e709c93267ca6619876894361ed5390e39d50be79dc390cd5acd90a357f9896da24a492db156958

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.exe

Filesize
78KB

MD5
98952dc29281f2490c0d6dfc83be63d0

SHA1
3dd42d0d31a03a6e9017929f6fe8a03b755c8a94

SHA256
192e496484ffd89b7e1240256f05907a0c359cfdf3bf6a81cb3af3c7838fc630

SHA512
b4beb48e7de7ddbf20d441474066d46e38f941b8651200063048ecabbb432a3f95e362f58a04ed0eef532b5ef23785c9e8b786f84424f58c799fb67a2a6d9106

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0dlwivi.0.vb

Filesize
14KB

MD5
a6f195ba890bde332f469a8eb0ee9453

SHA1
fb9c529e8fa9b6ae6546927a6e21e04ed27ecc3d

SHA256
1e7b42d8cddcfbfe06fd10dd16e97f2373da1e09dc5520bdcc922902953ce6ea

SHA512
ec72ef48701322fab76653323d2a24fa1777a4dba5e06bec9840906bcc5e9ba0b0753a152e91dda141c3b5e9fdef5e43eaf45b35d6019e1e7a53fed5c30c9c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0dlwivi.cmdline

Filesize
266B

MD5
0ab92f8ba3bd4f8c4a53b59951b82253

SHA1
77c764d5818e776b8421754e8ace8e2b9ee79bad

SHA256
d5252707986ea16129fa48f921d6e1db35f69e8c79b4a56f7cc19ec607837b72

SHA512
c6cfebc3ff5a4c58db646f33610531965874731357c9da2060f97ce5346378611e46111e6ea2c9559b3341312ff529367bbbd0d9bd9e4f6ea5b97d3b20c2abe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED07CC5ABF384C21ACBC2F91E89E4CB.TMP

Filesize
660B

MD5
3de371690964e93f33818bb2481e7cd7

SHA1
95675556dfe45715cd85fc38038a8889f9986b4f

SHA256
98afb7c7f9605c5eb2d166957eeba838913ca99ade379149b5b3e67607e59563

SHA512
9ce518b83b41bacf8de50b60540403078040873ec8efa61dc13e9369183e6c5364cf8b5b969168436a8af6a0e21deefbd29ad12c94da70089961c6e91182799d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/2856-22-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2856-2-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2856-1-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2856-0-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/2916-23-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2916-24-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2916-26-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2916-27-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2916-28-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4844-9-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4844-18-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads