metamorpherrat | 19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bf

General

Target

19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Size

78KB
MD5

101dc35f3de0a2ef05ae48feb50f3a40
SHA1

7d27ed36b125396902798471a5982cbc13c15e6b
SHA256

19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bf
SHA512

7a4d00a31a76b705db4c35da45b8c4a9fbffa20fab505c89c30c2f158aacea3f28ed2d489ffe70b3383384f97d37dcd6da512c3d0959168cd373bd1763d5bfa9
SSDEEP

1536:4HF3JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtH9/Xt1cS:4HF5INSyRxvHF5vCbxwpI6WH9/Xn

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe

Executes dropped EXE 1 IoCs

pid	Process
4856	tmpB650.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpB650.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB650.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Token: SeDebugPrivilege	4856	tmpB650.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 2160	4328	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	84
PID 4328 wrote to memory of 2160	4328	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	84
PID 4328 wrote to memory of 2160	4328	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	84
PID 2160 wrote to memory of 3584	2160	vbc.exe	86
PID 2160 wrote to memory of 3584	2160	vbc.exe	86
PID 2160 wrote to memory of 3584	2160	vbc.exe	86
PID 4328 wrote to memory of 4856	4328	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	88
PID 4328 wrote to memory of 4856	4328	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	88
PID 4328 wrote to memory of 4856	4328	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	88

C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
"C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omljulzh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA052CDEC865A42CBBF275878F674EB44.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3584
- C:\Users\Admin\AppData\Local\Temp\tmpB650.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB650.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB7A7.tmp

Filesize
1KB

MD5
3b61b5099e89148a1c1a614bf16d7c11

SHA1
4226d916b678a2407780274bd2c5d67b3c835ec1

SHA256
a78a46e1ddc6dc465f3da886a32b3b6d09bdc9de695f64d2cd984f76f9d0f911

SHA512
5aec894e5c3319ca0d0d1d47e69ebfeb0bb94e94ee92530eed42ce790754823b01b400e86d708df915e3bc7d2095ce765e8ac3a9a845ba7d439592b97902bcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\omljulzh.0.vb

Filesize
15KB

MD5
0405920f9e6905bc4f1ce68947da0617

SHA1
c4f86e8fb34b33bcf933bb3ba283af5172be5f67

SHA256
e43b660b252ba9d6b961ebad6911d2e5b64493b65a0deee6282536453a6dda47

SHA512
2cb3a4c02f7715e506146e7f17fb5ad5e54905225f187f9a06c9847df123c902228f51ab14c8baad6340c6da4d2a583137a2b654ab046dccab6b13a52c3197a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\omljulzh.cmdline

Filesize
266B

MD5
35e19a62712b17e3684dab4a435330ad

SHA1
7cc38ad2a338a740689513ed927a708a219b2639

SHA256
6b1ccc454866ab94347ea36de51160be3bdced3525b22cd318c5346295a5d883

SHA512
a2fd29bbe5dde5c34defd326afd05f8166b423857d7891fb6590774e93a374f8f38debd7ac6291a89fcd4d7c7ca5899a8c68bbd917565d91395cd6409140d0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB650.tmp.exe

Filesize
78KB

MD5
836b665ef089cc5269df4dd5f2be505c

SHA1
86a1e74771b2a6c1ef7f662bebc9e5b01c4b17be

SHA256
37498bcd1fab48f8d4162ee7dbdf8b095015554c0d028a5f06c06532b0c94716

SHA512
02144e393cb9d4a6f54d099ff139368df35f23e54c46c2098909089b8a1a9a224642970becb810a05c7cdb2f69006a002301d6f82a99722174fe17108afa0541

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA052CDEC865A42CBBF275878F674EB44.TMP

Filesize
660B

MD5
2d3944dc8569ae4a8f86ca9b63045cbc

SHA1
a55543ccd3354592afb2611281e8e21009cdef79

SHA256
b6a16c05671501f9099e7801af3f6dfc9895dad42afbfbc36010a6f3b2741242

SHA512
73f3945d4290cbffb9ff05bc165224fcf06d4172a5f5f6358431cade4a610d0a0b68cf2e751f91a213e8f98b0f8b2ecbca8d7c27d66d627d0a5670af773dabae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2160-18-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/2160-9-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4328-23-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4328-2-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4328-1-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4328-0-0x0000000075282000-0x0000000075283000-memory.dmp

Filesize
4KB

Download
memory/4856-22-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4856-24-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4856-26-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4856-27-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4856-28-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4856-29-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4856-30-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads