metamorpherrat | 19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bf

General

Target

19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Size

78KB
MD5

101dc35f3de0a2ef05ae48feb50f3a40
SHA1

7d27ed36b125396902798471a5982cbc13c15e6b
SHA256

19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bf
SHA512

7a4d00a31a76b705db4c35da45b8c4a9fbffa20fab505c89c30c2f158aacea3f28ed2d489ffe70b3383384f97d37dcd6da512c3d0959168cd373bd1763d5bfa9
SSDEEP

1536:4HF3JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtH9/Xt1cS:4HF5INSyRxvHF5vCbxwpI6WH9/Xn

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe

Executes dropped EXE 1 IoCs

pid	Process
3620	tmpA018.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpA018.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA018.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
Token: SeDebugPrivilege	3620	tmpA018.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3376	3492	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	86
PID 3492 wrote to memory of 3376	3492	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	86
PID 3492 wrote to memory of 3376	3492	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	86
PID 3376 wrote to memory of 3980	3376	vbc.exe	88
PID 3376 wrote to memory of 3980	3376	vbc.exe	88
PID 3376 wrote to memory of 3980	3376	vbc.exe	88
PID 3492 wrote to memory of 3620	3492	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	92
PID 3492 wrote to memory of 3620	3492	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	92
PID 3492 wrote to memory of 3620	3492	19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe	92

C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
"C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vigqqgr6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA306.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4770FD72D044F35879D2FA452DC47B8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980
- C:\Users\Admin\AppData\Local\Temp\tmpA018.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA018.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19b3e108e57f8e129bf2fb449987804f20fc0716d378834eba64be2b96ae16bfN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA306.tmp

Filesize
1KB

MD5
0f34ae3dfde86dda2f719c2e6f66e607

SHA1
8ab8fee43c0cb1d01862f5027f63a914d11cb6ef

SHA256
9a31202bf27e1c5fd08e08504da2479491893a6a0fac18610460078b1f744925

SHA512
42e43839ec8a8809f2671da9d3195e03415902e06baafb67d802c08ec57c92a9a572a4f24656eb3b24d95ffdf82123acbfa63215cad1c4a5168aed2982da37d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA018.tmp.exe

Filesize
78KB

MD5
125fcd24154069a8e915ac8368708975

SHA1
2d215f1f238e38576e844f6f4c26f92f4a21a2a7

SHA256
dd5b495077d613e39f630aaf397c4c37af57a287f62b7df9868e3e1e00a023e1

SHA512
5cb97cdfc52210589fd90d33925cabf00ef2cfb56be668d785c5f4ff18b78e265ece120a1afc0dec7086cab340deaef3c817d82f57d4d31b35e6f753974869e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4770FD72D044F35879D2FA452DC47B8.TMP

Filesize
660B

MD5
13032b799e26f82ccce0cc5c069cc708

SHA1
cd7754cd857fbcda37760c646dd5a971092ee9c6

SHA256
9f520cb2d4649c5f52930869f00d61d38be81a94a02b435ddf95c2998eb68713

SHA512
8a2159474fd5f178ea1c6e553d2f597afd535e966bbe4ad6e2d625112584786779df843817190c2d33b7ed8b06a5894e91c89acb7b14287fc8744df562439da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vigqqgr6.0.vb

Filesize
15KB

MD5
d67aba974e02e9db62e5871132a0ae25

SHA1
2cc3feca3543448fa65939f41f7da514eff7eab1

SHA256
c1a3cb531a5400ca20119c02d03d353fced916213d051efc459274dd338c830e

SHA512
31a898601fc74901f1ae12d71276184381c634fd8aa4e67b8dc76976143a5d68d0bdeea4900e754dd07d413840e2b35d25813b6fc66e66196938cbb7003014e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vigqqgr6.cmdline

Filesize
266B

MD5
e9d0bf76dccf43cd25c82dc1f10906f2

SHA1
07e0b15298f41a0b4cf47300d5d91dcfb9fa17fc

SHA256
c03c6b941842f9dd9853215c415d05a750f35cbfa0a1bb1cf01c129be10a668e

SHA512
b088bac1f40dd20e51eecea2ab0437ee8918da37745a8bd785d101af1571cea1b970be60f4249ef6b3715b7381724d17edcf63ce369236913e1baa41a07bab05

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/3376-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3376-8-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3492-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3492-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3492-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

Filesize
4KB

Download
memory/3492-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3620-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3620-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3620-26-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3620-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3620-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3620-29-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3620-30-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads