metamorpherrat | 6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172

General

Target

6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
Size

78KB
MD5

41bfbd29b3d9a9f22e0290f77cc24af0
SHA1

f939e45ce0e1f7d92ee5c0e5b2cde2f85a1c7205
SHA256

6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172
SHA512

0ce5f3cddd6c82a1e88c87d3e766e46d8badf2606d08e98194ebebb51e8e73b864798d00a0d38bc3785d46e4938e47accde92f674be2db693bd7f740de4f7cd6
SSDEEP

1536:LtHY6JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtH9/x915k:LtHYOINSyRxvHF5vCbxwpI6WH9/xK

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe

Executes dropped EXE 1 IoCs

pid	Process
4124	tmpB536.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpB536.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB536.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
Token: SeDebugPrivilege	4124	tmpB536.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 4212	2692	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	84
PID 2692 wrote to memory of 4212	2692	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	84
PID 2692 wrote to memory of 4212	2692	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	84
PID 4212 wrote to memory of 3264	4212	vbc.exe	88
PID 4212 wrote to memory of 3264	4212	vbc.exe	88
PID 4212 wrote to memory of 3264	4212	vbc.exe	88
PID 2692 wrote to memory of 4124	2692	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	90
PID 2692 wrote to memory of 4124	2692	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	90
PID 2692 wrote to memory of 4124	2692	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	90

C:\Users\Admin\AppData\Local\Temp\6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
"C:\Users\Admin\AppData\Local\Temp\6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nh79otxm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB640.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21A6957417314E4D91D3BF6B335AF6C2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3264
- C:\Users\Admin\AppData\Local\Temp\tmpB536.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB536.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB640.tmp

Filesize
1KB

MD5
e1afa9de1f8838cb52e7f6f9afdf44ab

SHA1
58db9632e0f798c823574116bc8fcb0a650252bb

SHA256
0794f4a3febdf108e0903121eb5b1dfa13151b61ab990f33c90362d6a657d9a5

SHA512
32ed9aa692e0114a1d6a535bc698049bb37ec2d35f8ea03c4750c665e7eb49c30379d04180822e24017adb8b337d804ec77be0f73fb6d7e6afde65a20a725427

Download Submit
C:\Users\Admin\AppData\Local\Temp\nh79otxm.0.vb

Filesize
15KB

MD5
05014641b2e98d490a4639f41be609fc

SHA1
903804ecab7ca2a09483b33f0364342fbdfd7867

SHA256
e790d540d3aebc15081d6999438c8757aab6b2c5660492395cc9768dc5b9ff91

SHA512
aa7ffa8f7e96e95b9b18d63af5df3657a2679e6b4379a639de644c348236cb2e3bc0d58cfa9a503de88b4f55407b62a345aa0902384a01821c416848adf2e149

Download Submit
C:\Users\Admin\AppData\Local\Temp\nh79otxm.cmdline

Filesize
266B

MD5
b3a9303ab8d44a69dba490da6352a034

SHA1
4a21bbbaa3e7ef928bf842da93a6e1e011443c66

SHA256
2ab41a4b499eef0abad508bb78b1d9925fb36c8d7f79c2a30eb99517bb908b2a

SHA512
61e1ea5489f37d47bdd1e119e0a51f64dcbcdbaeaf6d0a82c42a6a75001730017a1b61a0cf6bd5fec98c633977c8a85ad07fb195b077de28b7522523d7ebe9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB536.tmp.exe

Filesize
78KB

MD5
384b5ca2c68a5ac481b4b5ed8bd2568f

SHA1
cbba06112f08939a0165c4df8ee818efabd0fe72

SHA256
40bd3655513d3f484ff8a8feb4ff6afb75d3a9755ce65b4dd687ab8b46aa62b8

SHA512
5dcae8be65c20d1fd9e558349d16ae783a947008335715e335dc79cc184dd0e2b27101e566e309ff3c1b30413fef5d347e90d8a6d20383099a3f9c0e86bcf8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc21A6957417314E4D91D3BF6B335AF6C2.TMP

Filesize
660B

MD5
2e468fbb52dd73d41d0e0f0aa314e5e6

SHA1
44c8e38ba3986b81e6ca23f68961dbb5fcea2bfc

SHA256
8058cf59d3a8b4a6bd1807d5ed1dc4205ec70dc1648575fd05e9250db2b1f97d

SHA512
95e36b2a62d2741768e31268c27337d11fbd2af65e4546e48be3bb6b0599af9afc1c8bd8884284780289d3c9118c6eaf18b2f1fadf80c87f3b1b01cd10a4b157

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2692-1-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2692-2-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2692-0-0x0000000075592000-0x0000000075593000-memory.dmp

Filesize
4KB

Download
memory/2692-22-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-24-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-23-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-26-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-27-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-28-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-29-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4124-30-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4212-18-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4212-8-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads