metamorpherrat | 60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c

General

Target

60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Size

78KB
MD5

7fce8b67a8607f52f0f58b95eef23120
SHA1

0e506a7effb98b39c1272da3ee38c8f0d54467b8
SHA256

60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c
SHA512

0eec06a28537329a6ac92301d583cfcfd4c051e59b56bc0b595a10186ff57f865d7409d10a223f1d8ad91670db7b0806c70a18105960130d833668826af39008
SSDEEP

1536:iPCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtg9/B1Ha:iPCHF8hASyRxvhTzXPvCbW2Ug9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe

Deletes itself 1 IoCs

pid	Process
2976	tmpBA38.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2976	tmpBA38.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpBA38.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA38.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Token: SeDebugPrivilege	2976	tmpBA38.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 1952	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	82
PID 5088 wrote to memory of 1952	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	82
PID 5088 wrote to memory of 1952	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	82
PID 1952 wrote to memory of 2664	1952	vbc.exe	84
PID 1952 wrote to memory of 2664	1952	vbc.exe	84
PID 1952 wrote to memory of 2664	1952	vbc.exe	84
PID 5088 wrote to memory of 2976	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	85
PID 5088 wrote to memory of 2976	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	85
PID 5088 wrote to memory of 2976	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	85

C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
"C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zqf1ti4g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCE7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB7C66EEFE64E3D9BB15FEC1312DA98.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\tmpBA38.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBA38.tmp.exe" C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBCE7.tmp

Filesize
1KB

MD5
fdff57a9df991881ce9b8be9dc0554af

SHA1
244f8293576e50ebc691248ab8beebc78ff8d54b

SHA256
d15d4e177870ba1b988c1a00024e4998313627dfba012776dbefd6757ab51bf9

SHA512
34e909cf9e35517c3104919f0821b84bbea84152309ca4130a89c39b2f6053a2cde90c11fab13d59834920168964c9791b292fa6f412d80af524a8c41e0a4286

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA38.tmp.exe

Filesize
78KB

MD5
4a960a841aaddd12ddf3dbe3072923b8

SHA1
32699c91d563f8336ec4fdaf3b9c6e01863c4edc

SHA256
2e98b5ae11e1bd30ad1469a233a09cfbc49929d4d8630c4493cb11e734438642

SHA512
59b739d858354de23670e123642faca1eb3bb90eba27e37205f9c0ed0349303dd3a240bd48a00fddf247e0386a4e96cc796a10ac50d81773ea6e6c4d7081f5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAB7C66EEFE64E3D9BB15FEC1312DA98.TMP

Filesize
660B

MD5
bac39d5d8205e45a80e4eb5c54b7926a

SHA1
f6bfb24fb84de7a5c0d4cff98f532d0370f1cd63

SHA256
2fe7d01c0c394bef342782b1edf8864ccbb5e2ea544a773c0f419ea45db7910a

SHA512
1cd01cdc7ff209fe5edf24d99341dc68373e9739f47ec681d6d6d1e3586b99ad6aa872f1ad764abf1881355d86c20b383bb253392a0c4481cc994e74fd95f674

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqf1ti4g.0.vb

Filesize
15KB

MD5
7228eb1891875146b7a21771b38f8ecc

SHA1
277c97607d231783f0b99a30b4b49c033d3d0843

SHA256
0f652d253ade1eb91659b739f96457a1e91c166cff670de5efa62445762eb399

SHA512
a79598fda7d6ecbcccf6fde42f51afb7c9d8f4770ff16dc3f06dc49335897298ef9637bd60a4416cbee56c297e91ff3ef945582969fee82c9f6f8f477a1205b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqf1ti4g.cmdline

Filesize
266B

MD5
61c6bdc38d7e5cd552ecd6680d119bcd

SHA1
16f9723194c20bb2eaffe4b0823e0708e59d48df

SHA256
32daa78988669703f00cd4e46715bb9190e2db15eb82ef41860089e196b9853c

SHA512
1688f36674a40b5e0bc50de47cf39d10419759701c274908b459576a5c2ecaffe95efb4f5d588f78b64aa8bb238aa66883361cd8ac6478f7988f5d267eae1203

Download Submit
memory/1952-9-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1952-18-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2976-23-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2976-24-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2976-26-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2976-27-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2976-28-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/5088-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/5088-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/5088-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/5088-22-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads