metamorpherrat | bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f

General

Target

bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
Size

78KB
MD5

d323cb30fb40bdcb6e0449367a1bea24
SHA1

2681d0910b80b36bd9a8bfd0a776ac613e9a769b
SHA256

bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f
SHA512

02c1756a71eeff857235d332094de3232feaaaf9524f05ff6134aa426b3b3c2e21fc5b6c23b06bb7e13d8a866a69be8bfe79124a9aa3f388f0fbfdcea3a69af0
SSDEEP

1536:Py5jSfXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6d9/w1sV:Py5jS/SyRxvhTzXPvCbW2Ul9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe

Executes dropped EXE 1 IoCs

pid	Process
1676	tmp85CA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp85CA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp85CA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
Token: SeDebugPrivilege	1676	tmp85CA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 4964	4256	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	85
PID 4256 wrote to memory of 4964	4256	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	85
PID 4256 wrote to memory of 4964	4256	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	85
PID 4964 wrote to memory of 3888	4964	vbc.exe	89
PID 4964 wrote to memory of 3888	4964	vbc.exe	89
PID 4964 wrote to memory of 3888	4964	vbc.exe	89
PID 4256 wrote to memory of 1676	4256	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	90
PID 4256 wrote to memory of 1676	4256	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	90
PID 4256 wrote to memory of 1676	4256	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	90

C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
"C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\amadn7j6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7C7351565654EC0B1AEDA90A05883CA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3888
- C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp

Filesize
1KB

MD5
cd74f3b79e09f8ad3494b140bd3aee0d

SHA1
9458d0ca71ba08ea9800f49089bd1df3fbc00fe3

SHA256
8eeb451a486985a336f432adb4da44e8a9bfebf23a0dcef861149fa0cd326dca

SHA512
f88100d74974dd6edc0c2a28c89bfadcae7785e4d7617511fde0d0d57476a611910b4709ad58dec2f2da68a184be62efbcf7a31bb5b4e1f984e05456b07558fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\amadn7j6.0.vb

Filesize
14KB

MD5
1500ba4a09a0264141dc2dcd64d4688a

SHA1
adc9a2e2529992da91678abd441cfae9d3756917

SHA256
846417c2ea926ba5997bb223126dee70077241c64fc6520ba32e0bba75a2daf8

SHA512
1b77d0feed1501f86fe5eb83edfa9068f0588dde7e73f6affe11df819a078ba760bb2655f08321e4fe762142381baceee7d39fd2c7c764e6c42a5609b8181c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\amadn7j6.cmdline

Filesize
266B

MD5
70383d9469c65033e477b34e755cb668

SHA1
3d548b543b0e823e3238d122153a596920e3d48e

SHA256
1b4e3a15739e9ae4a2434ba7754e856c6864a5f0b461cb77d6eb45c8b0cc2de8

SHA512
06def29f1dc04eb6809b9322e72dcb3a6ba2aaea0845a82090ee4c21826ac5cca9b422ab64869d4481ef7ddd50987cb22928f93b5f7972b34d9f1169f514b47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe

Filesize
78KB

MD5
9776c9c56bcaf595bb4454d2532aaf1f

SHA1
f0ae467b48042e492303de4b412f7a795a3cc5fb

SHA256
b701dafd15e653959aa3ef153d2ad7d80f86792c39b6eeb515328408e62cd770

SHA512
4aa14cab7f55a57ac44f15d53d2ee75c96d70e0176e8fa0070ab804fb3f7f3dc7ddd709ff3d464962ce836ecda14646743e8ee56a6f1bb38193258fb6564717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD7C7351565654EC0B1AEDA90A05883CA.TMP

Filesize
660B

MD5
82e4c5eb059f5aad297b9ed09e614547

SHA1
03363510f7776d00aec5aed799c2232c5000d2fc

SHA256
37afb7101ed290e27820d6eaa70b101fd0de2decac6e9823133f40f90209a050

SHA512
3359126a43238a0a1cdba662838a628d6d01eda04a7da625b3ab06375f25166c11186efaa8ff57d98ed26b289d0387036cd387f1a61530e5d51245cacc769a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1676-24-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/1676-23-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/1676-26-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/1676-27-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/1676-28-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4256-2-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4256-1-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4256-0-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/4256-22-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4964-8-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4964-18-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads