metamorpherrat | debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4a

General

Target

debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe
Size

78KB
MD5

b3ead9dcdb1fe0de6f31e7a0c64a1330
SHA1

234a9f80d52cfd73db043b4fb93e2c7eb431d037
SHA256

debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4a
SHA512

457d905be6a487103d4fa21b1cff829c8589fe6fa15aa7bf7255e53630ee21af08b7a22227abbb9b4bcad42a6d0fe68e220f176d4d3e328f1f48daeda0f1cb3d
SSDEEP

1536:jRCHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtR99/t1J6:jRCHF83xSyRxvY3md+dWWZyR99/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe

Executes dropped EXE 1 IoCs

pid	Process
1344	tmpBDC2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpBDC2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBDC2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe
Token: SeDebugPrivilege	1344	tmpBDC2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 5040	4080	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe	86
PID 4080 wrote to memory of 5040	4080	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe	86
PID 4080 wrote to memory of 5040	4080	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe	86
PID 5040 wrote to memory of 4344	5040	vbc.exe	89
PID 5040 wrote to memory of 4344	5040	vbc.exe	89
PID 5040 wrote to memory of 4344	5040	vbc.exe	89
PID 4080 wrote to memory of 1344	4080	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe	90
PID 4080 wrote to memory of 1344	4080	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe	90
PID 4080 wrote to memory of 1344	4080	debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe	90

C:\Users\Admin\AppData\Local\Temp\debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe
"C:\Users\Admin\AppData\Local\Temp\debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b9oerbkt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF1A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3DE792772B741A0BA98B471E9C5743.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344
- C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\debbb60dda14e0a7855e725d6e00a7d9428fd3e4811e350e9712182381224f4aN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBF1A.tmp

Filesize
1KB

MD5
b2ee8ed0f8e8f87f353ca9633454991d

SHA1
517d1b17067822effd9d0c230d58ed9f171afc63

SHA256
65f1e2b11fccf0e7abefa9436e22f876daf5d095150c52e4272d5e7b6d86f0a1

SHA512
38ad1f1d3d5df7d4af2cd6aa38d8b06b0d57e5d52d44033e99dfff9fe2f2a0db34c175bfd650988f3375e8eac217eac2f024e010e6e1e6fe3b404f475c5c208f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9oerbkt.0.vb

Filesize
15KB

MD5
7345ba2c767d432a9015c4796a7292c9

SHA1
e44363934320fec7ea4c48f36dee43e46023c0f3

SHA256
b6b461aa743049d328bfd3e1326be9dbf4e0c420151c22d1cae45c545c299854

SHA512
6c94578370ae21480a331e962b7ae15fca5f4afd1ae41914da7a21d743ce4db5720a1fdfecb0581c43db0bbb7d82ac33aa234cc9d008babc50736b6af626ee35

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9oerbkt.cmdline

Filesize
266B

MD5
e6c621fdbd51594445d90e10f098c1f2

SHA1
20976d94668a5b230f3d80270eadb106d09532d1

SHA256
e47b4973e7183cc4745d18a59ea86bd1dca743c1d65028a4aaa6a84cd12ad9b0

SHA512
d722f9697e5192be88dcd07b43f36d6df569ec7b3f1c733b992639b052ee4c5efd16a3293ad3a69c5fc6cdd2608c1b03da4a09a59690cb094ea1d7bb69786789

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmp.exe

Filesize
78KB

MD5
1d46047defe9f5a2f17c2441865dc7b7

SHA1
488b0299ce7910cd9f88131f311c73830c0fc69e

SHA256
531753f68540a94664e82332eecfd49a83067a3691b450a247ae92bd91544f01

SHA512
564e6d5e4333aac0fe4a9baded4ab6fa8ec942e2bc89d71cba54a043f43a249b85fc3d73735e37128b86fe65b127af7dc14ac42ca86e98fcc5b240984387bb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE3DE792772B741A0BA98B471E9C5743.TMP

Filesize
660B

MD5
a041b65d643a8146575305cee2d76f5b

SHA1
18747a0737eeb78338f74ce36c4f0609c036e896

SHA256
1ba0b2831525f36c12424eff3b5e4a055a392ad32596c4860a19bce882d4fb3e

SHA512
c1d624a7f827d57542fbd898635a63c546940f4fb0bd2bc760a3ed399a8418568317e4ebdf3b0c61c6e7cac70f158f58ec232812b311bb8e5299950bfe7e258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1344-22-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1344-24-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1344-26-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1344-27-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1344-28-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1344-29-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1344-30-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4080-2-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4080-1-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4080-23-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4080-0-0x0000000074692000-0x0000000074693000-memory.dmp

Filesize
4KB

Download
memory/5040-8-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/5040-18-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads