metamorpherrat | b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133

General

Target

b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Size

78KB
MD5

91656cb5b2816cd2afe2cc0a490c9710
SHA1

90f77ce4c34efb01b667c63d392a39dbfc1f890a
SHA256

b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133
SHA512

80554738bd4261e399a60c48df232c1ffe6b9e5e7fb52674c68c5b8c112f209bef77e7ce7a4383cfb8dda5a531b24389f000c8cf42ac920b1d240a6961e63000
SSDEEP

1536:9V58mVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC6u9/T1d/:9V58m/vqyA11XYUBxprBPjc29/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe

Deletes itself 1 IoCs

pid	Process
3708	tmpA2B8.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3708	tmpA2B8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmpA2B8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA2B8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
Token: SeDebugPrivilege	3708	tmpA2B8.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4580	4888	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	85
PID 4888 wrote to memory of 4580	4888	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	85
PID 4888 wrote to memory of 4580	4888	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	85
PID 4580 wrote to memory of 4116	4580	vbc.exe	88
PID 4580 wrote to memory of 4116	4580	vbc.exe	88
PID 4580 wrote to memory of 4116	4580	vbc.exe	88
PID 4888 wrote to memory of 3708	4888	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	90
PID 4888 wrote to memory of 3708	4888	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	90
PID 4888 wrote to memory of 3708	4888	b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe	90

C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
"C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svn_mjqk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA383.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90738A84162F47D1976AD66FC476D4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
- C:\Users\Admin\AppData\Local\Temp\tmpA2B8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA2B8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2b09f0de9598a24ac92115a35617353032bffa95b8ac10e27563917a697f133N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA383.tmp

Filesize
1KB

MD5
571c37a1953f8ef3e1da97bda5dc7e48

SHA1
ba655afcf2748d587e0ec8a5369b5a11e9eb3690

SHA256
11197c079328ee5237221504fdee4528554abe18c0181730dd4f6deb0e68e9cc

SHA512
8e64c5cbaa7b26aa95869e63c3d745e200c82865a4847f0c6a496b02378769781f91f27e52457020b076593c91e6a16683e198168b66de5828208c7af43ff650

Download Submit
C:\Users\Admin\AppData\Local\Temp\svn_mjqk.0.vb

Filesize
14KB

MD5
2938c8a9b7f23a5bff203fc49f46b690

SHA1
39ea001f716353b100d7a4bb4d36f48ed609e98c

SHA256
f05d44aab2e07a07d39abe3b77c80cc08b1688ff382533c6623b63dbeccf4449

SHA512
aedaf4b1ca98f2ccdc0491e59c6f80a727a53a2de1525dd8fd35ff820f2fb8ebcea0f6371aebce1736c275f3aa034ffd4b4e2f789413adf0ab38ccc13441e759

Download Submit
C:\Users\Admin\AppData\Local\Temp\svn_mjqk.cmdline

Filesize
266B

MD5
8ebc9ffe9bfd1afd62d3c0b8095a71e7

SHA1
aaf3700762a8867ac5f38840f42dd76a861bd521

SHA256
584d33d23574e88295d3c2725d5d06784fd3e3882f613f4e85b0f2a4948f92be

SHA512
24c7f3e76b88f34f03521e0de11e7aa14bd3918dcad44835629ab84cbc92a350f62dcb627436c932ad4306b9a63301e682793f98307b1386a73c1fc60650880a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2B8.tmp.exe

Filesize
78KB

MD5
72337e274b7e3cac72c7c8f0d3dda1a7

SHA1
8f30c7c8cf0c80632d53c6ff3d5622009409bfbe

SHA256
b7a86cfd1b3ac94504ced41ea1ead9680f3c2edf078e24f16221b8865eae5720

SHA512
cb96185385bdadd45ba1ca08e04b22ea4088e1f7b26fea13b1bbfdc200a577fb1138dc9af0ee7ec3b20124d544c7e96398166143b3b1741febd814fed6ae09d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc90738A84162F47D1976AD66FC476D4.TMP

Filesize
660B

MD5
d091dc3c8f4c932333430da0cb3121b2

SHA1
148df67018848b436583ce435e3e03915c38bfd8

SHA256
f7901af18901ba4d6759777030b57a28c84f0098887dd5cb35a0c880606d522b

SHA512
58ed6d788d64c053d7cabe8ff6aa40db89d481bff930f3e9db1277271849b625c59e6f835ced582918a8afd9c628cae332bd060fa0a65d2c363731634b5a6a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/3708-23-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3708-24-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3708-26-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3708-27-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3708-28-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4580-8-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4580-18-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4888-2-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4888-1-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4888-22-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4888-0-0x00000000745E2000-0x00000000745E3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads