metamorpherrat | b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133

General

Target

b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Size

78KB
MD5

91656cb5b2816cd2afe2cc0a490c9710
SHA1

90f77ce4c34efb01b667c63d392a39dbfc1f890a
SHA256

b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133
SHA512

80554738bd4261e399a60c48df232c1ffe6b9e5e7fb52674c68c5b8c112f209bef77e7ce7a4383cfb8dda5a531b24389f000c8cf42ac920b1d240a6961e63000
SSDEEP

1536:9V58mVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC6u9/T1d/:9V58m/vqyA11XYUBxprBPjc29/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2316	tmpD826.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmpD826.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD826.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Token: SeDebugPrivilege	2316	tmpD826.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 2896	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	31
PID 596 wrote to memory of 2896	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	31
PID 596 wrote to memory of 2896	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	31
PID 596 wrote to memory of 2896	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	31
PID 2896 wrote to memory of 996	2896	vbc.exe	33
PID 2896 wrote to memory of 996	2896	vbc.exe	33
PID 2896 wrote to memory of 996	2896	vbc.exe	33
PID 2896 wrote to memory of 996	2896	vbc.exe	33
PID 596 wrote to memory of 2316	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	34
PID 596 wrote to memory of 2316	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	34
PID 596 wrote to memory of 2316	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	34
PID 596 wrote to memory of 2316	596	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	34

C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
"C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\orcf63qx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD8D2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:996
- C:\Users\Admin\AppData\Local\Temp\tmpD826.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD826.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD8D3.tmp

Filesize
1KB

MD5
447f607571cb53c28e3b6e629fa97d62

SHA1
eaa2f4935382631aec0987194e54b18560f17dd4

SHA256
980fb734b684e81fefa8a61cf0027ce6c02dbf92e85e413d591bbe0b67ed9977

SHA512
b760d7b1c3c1d26727360905f01f073ebd81834286bd289591dec497582f6744542124f6c54e218e8ee9f56bf29226e846f42f1bb600750c0d05143b38a80a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\orcf63qx.0.vb

Filesize
14KB

MD5
8b64e1d91cfeb1824a8e8410afdac47a

SHA1
73d20fa1d06c89452422fba38fc354f46a0badd1

SHA256
2e3aef80ee897200e9ae88daf1f83bf0b042b3aaef1e605121db6bb398e42f65

SHA512
2b116f36c8bf55df955fce8ee0440b6ccd971576801610854872d288767e5899c87114e19d6d808bfa7648128d640aa45b4589f000b65da7480f6190bbc9da43

Download Submit
C:\Users\Admin\AppData\Local\Temp\orcf63qx.cmdline

Filesize
266B

MD5
29a37fae5764fdaafdde16c99d96e0b2

SHA1
18109c2b77de5f33c3e7141b0bb4edcca9278512

SHA256
c96ad982610a97705236609a5da8d5db37b69253425015e86361c1099842be28

SHA512
974d982359229a72c60627adf2dc18586fca25ded26af81c05509f7cc7b14b9425fcd1ceb4835865b705003169608ea6e7fec42ce8160536f433e4971356e4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD826.tmp.exe

Filesize
78KB

MD5
d0a414a783ff9f82d7286e447b6ef572

SHA1
378512b89bb761cd701e267326a0527252e37d1c

SHA256
d634b80e628ee46f345bb6472b536e7b383b9baaaa0f3d2ad236425a609eb639

SHA512
fe59b9bafe539c1b90dd05770e3df7586b86b1d9c080bce928a0a88514920995a2072b48464e11e767eaa5640edda52e194a06016d12ad28a2f3aad89800a047

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD8D2.tmp

Filesize
660B

MD5
ad73cf6e132f523964915961c2e3735e

SHA1
023181150138acccc5f5fbdef6f5f7bc6ecb615d

SHA256
2765b9a5cd5cf4b48fdb4cd20ebd4a3bce081781767ef11c542ee9d22d58c735

SHA512
32796c38961654e55ac80ac39df95b70b6265d62eae3303a4830984d86f30b2c807a479f1747f0557a661d790ec1f36683e5b7249ce58ebf847039816fd3c22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/596-0-0x0000000074791000-0x0000000074792000-memory.dmp

Filesize
4KB

Download
memory/596-1-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/596-2-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/596-24-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2896-8-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2896-18-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads