metamorpherrat | b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bb

General

Target

b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Size

78KB
MD5

0d40169fe50fde60e4e88e57ef018dd0
SHA1

55fbbc205c7ac64b480281f8418e0c5e5d430872
SHA256

b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bb
SHA512

860290b7444922a9ca23dcb37a927557ab6d44a3c00bea9f47950a23c6c6eaaf14e012f35308d4774905990c01483aa5974fd5704eeb374b3f2d6ea6bca2bcf7
SSDEEP

1536:FuHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtew9/UT1Od:FuHFonhASyRxvhTzXPvCbW2Uew9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe

Executes dropped EXE 1 IoCs

pid	Process
4976	tmp8608.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8608.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8608.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Token: SeDebugPrivilege	4976	tmp8608.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4872	2688	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	83
PID 2688 wrote to memory of 4872	2688	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	83
PID 2688 wrote to memory of 4872	2688	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	83
PID 4872 wrote to memory of 3276	4872	vbc.exe	86
PID 4872 wrote to memory of 3276	4872	vbc.exe	86
PID 4872 wrote to memory of 3276	4872	vbc.exe	86
PID 2688 wrote to memory of 4976	2688	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	88
PID 2688 wrote to memory of 4976	2688	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	88
PID 2688 wrote to memory of 4976	2688	b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe	88

C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kviqmqcu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8770.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94C722595F844E9FB14C5AFA93D9FDB7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3276
- C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8770.tmp

Filesize
1KB

MD5
48678837cf13b1e4882f21d4c04a37d9

SHA1
c78f8c6f83d2b72cc0ad10316b8c76df954facad

SHA256
1174681a1397fa1031910c98876a93a1c02f47718a90fc3ee91e5e5607c6f6b0

SHA512
c48c932d63ed8b5034e47d658f9ed152fe45f5394e3b77164d469631a4e2f076bb6f192346e6193da0dbfdfceee2b9d9404f67bef7ad13c179fb38d72534eb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kviqmqcu.0.vb

Filesize
15KB

MD5
8eb61d6ff9adea6a5972b8ed9b9bc078

SHA1
24cac37e4dcd5d15737141622d7ee3f771559eda

SHA256
688000902bc4dfe1ea4b4d53db0b47fdc55a4c8535ea21ab3698d469c56d3310

SHA512
1463650a35965de5d3ce0b9a34a988adef951c862d2e25e5e6d00156e3c2d27c93c747fef59353b449fcc7dad890c085a0429174471db4a6d8d19532f5e77fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kviqmqcu.cmdline

Filesize
266B

MD5
87fedf2af133a950e3695fb8c534c5d8

SHA1
e5cd25e4c8b81495baecf098ff67a268e11c9936

SHA256
6b2365b93cd2be0ef058ed9d1fc8d878c61e1df35f91c4fd0b2d16a02505553c

SHA512
d8ab77f88fb5401b87a503ba55d97ec16a2c401ec084f344fbc8d2f9e877a15a2527800e8a582588ec81a266e3154d924e8fa9dbaaf2e2705fac9ed85f866826

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe

Filesize
78KB

MD5
3a35fccc072f32e5c7e72418f1cd80d8

SHA1
966e5dd518ac7d94790a0939cbe18454cec7fe71

SHA256
8d18d8264e4fe43c5f03093086fec5e129f3cabe50d8f36e84e995428c5b8946

SHA512
23f54e5e7974288a9d7347b83e089a9156acab3bfe06b5abdbe61a7dc8b516975c86bafc327956e843b1adc918a4fb661bde1444caa63f8feb7ecc55e15f015c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc94C722595F844E9FB14C5AFA93D9FDB7.TMP

Filesize
660B

MD5
511761bc67de9d7d3c0c13fdb3b1b7f8

SHA1
0957d1eb99b5bc3aa0fad888400bb1ac6a91499f

SHA256
f34d8d467ee3b03fe0430ee6c7d06e5db44a7833590dbef360feffd7033f0e6d

SHA512
7d04d1f35678140ebe25d637a43c247f9f221ebd9d97de0c59e8a639502a3de5ad96af5fd12ce1fd32c82ed436f7ae1b545fc73834a4073b802900c3f798368c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2688-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/2688-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/2688-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

Filesize
4KB

Download
memory/2688-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4872-8-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4872-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4976-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4976-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4976-26-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4976-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4976-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads