metamorpherrat | 07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff

General

Target

07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
Size

78KB
MD5

e5a28cec78d365832ad8dbb0ba37bd6c
SHA1

6797a971726d0528646c0a2c25398550d582af81
SHA256

07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff
SHA512

232b9719b281fb92e19f1405004c29cc91f19288166e0176465c52ece3e01ffd3b0a8818becefce01f65d18a0b86a0d6fc008b1ac258c3205e36800199a91329
SSDEEP

1536:ptHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRU9/jA1kdg:ptHYnhASyRxvhTzXPvCbW2URU9/Ng

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	tmp7A7F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7A7F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7A7F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
Token: SeDebugPrivilege	2864	tmp7A7F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 2144	4924	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	83
PID 4924 wrote to memory of 2144	4924	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	83
PID 4924 wrote to memory of 2144	4924	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	83
PID 2144 wrote to memory of 4436	2144	vbc.exe	85
PID 2144 wrote to memory of 4436	2144	vbc.exe	85
PID 2144 wrote to memory of 4436	2144	vbc.exe	85
PID 4924 wrote to memory of 2864	4924	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	86
PID 4924 wrote to memory of 2864	4924	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	86
PID 4924 wrote to memory of 2864	4924	07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe	86

C:\Users\Admin\AppData\Local\Temp\07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
"C:\Users\Admin\AppData\Local\Temp\07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\86lzzokk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29A67D66E984674A96466F728BF1F93.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436
- C:\Users\Admin\AppData\Local\Temp\tmp7A7F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7A7F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\07bbf60bd5f17b7e7dc67c478cc626534dd7d270c4fff3e6ae5b869fd19ca7ff.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86lzzokk.0.vb

Filesize
15KB

MD5
88a05a0dca72b9062e892463c1c5852e

SHA1
497bb5908e3ac088f35a1ba669a43b3e75fe0a17

SHA256
7cb1e85644f0d41fdca700ef3df08c1e8bb8800025b82dc3c51493777112bfbf

SHA512
530748d340d040971f96e15101dcc44fcd9a91590c47122e2a79af7f4d970bba898c0e9dbda150027934d6f9a059ef36554112d0c84257dfa227883770d83584

Download Submit
C:\Users\Admin\AppData\Local\Temp\86lzzokk.cmdline

Filesize
266B

MD5
51824da688ba85b1f68ca3ac702e01da

SHA1
1feeacca7ab5f94d394aefe1b0dd90f6b808c531

SHA256
6923ce8b5c5e3ba123e0284afb007bce910c26fb0a74a988f4192a6a1b30776f

SHA512
48101dded535b5216b1dd03eb8fd1e7cf673231c077f6b256635f0f8555373e40cfc8e3ba207845e610c9f8cb91431351ea1d1940a0afc4116cf5392b93f5eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C64.tmp

Filesize
1KB

MD5
9862a858043a8857d132dbd4929db4f1

SHA1
6c7cf08bf28979aa2deffbbc8804b11533f13624

SHA256
cac0b841d77da449964e0fd8ea9e607a9c66afa9c2a9aefac554efe6732a9668

SHA512
8574637c5efe190ea92834415e963016be1bf32c711b0e3a0bc06a5a341519be8aea675e80da518425dd4fa699576fcdc0da1a3f6bc3a91160db7b0d0d4b1661

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A7F.tmp.exe

Filesize
78KB

MD5
c94b05f0e37e6961f7f65642394ea8d9

SHA1
8a1093fa8972e0dd1cbd406f5b2f261583b766d0

SHA256
f40381262d4d954592dfeda295d41f5bda8b459055ba6c9ec6a76b43e9108635

SHA512
2aa9f710f7621616e757d2e388f61c930cb32a0056eda19f04745901e084d3aa270147fd5776bb307f4baca0e936a307ee7d150f7b8c2e1646bcf3f8e1e680fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29A67D66E984674A96466F728BF1F93.TMP

Filesize
660B

MD5
095191b26bac32e8d15a8a7e74a22aa7

SHA1
a547926f4c94b6e5c4ceee9a0840d78a88f03227

SHA256
ef8497f24ac6ac292d60ae868b1e9ec39116d72c505b07c8b14815e9387f85f5

SHA512
16fcdb68bbbc4af929c504628a1e03415cb0f7fb904fb4d9f4bf4453a608aafa1a62333817f7292f114448b92cf92c18a25e561c304495835908afb30885c687

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2144-18-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-9-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/2864-23-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/2864-24-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/2864-26-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/2864-27-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/2864-28-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-0-0x00000000751F2000-0x00000000751F3000-memory.dmp

Filesize
4KB

Download
memory/4924-2-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-1-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/4924-22-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads