metamorpherrat | 60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c

General

Target

60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Size

78KB
MD5

7fce8b67a8607f52f0f58b95eef23120
SHA1

0e506a7effb98b39c1272da3ee38c8f0d54467b8
SHA256

60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c
SHA512

0eec06a28537329a6ac92301d583cfcfd4c051e59b56bc0b595a10186ff57f865d7409d10a223f1d8ad91670db7b0806c70a18105960130d833668826af39008
SSDEEP

1536:iPCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtg9/B1Ha:iPCHF8hASyRxvhTzXPvCbW2Ug9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe

Deletes itself 1 IoCs

pid	Process
3924	tmp91EF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3924	tmp91EF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp91EF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91EF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
Token: SeDebugPrivilege	3924	tmp91EF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2708	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	82
PID 5088 wrote to memory of 2708	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	82
PID 5088 wrote to memory of 2708	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	82
PID 2708 wrote to memory of 1336	2708	vbc.exe	84
PID 2708 wrote to memory of 1336	2708	vbc.exe	84
PID 2708 wrote to memory of 1336	2708	vbc.exe	84
PID 5088 wrote to memory of 3924	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	85
PID 5088 wrote to memory of 3924	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	85
PID 5088 wrote to memory of 3924	5088	60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe	85

C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
"C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ba_uj1nr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1E7C16C3BC74C6EADE89CEE9BC89948.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1336
- C:\Users\Admin\AppData\Local\Temp\tmp91EF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp91EF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\60b9f1a2f8a25906b6a642662ab102fdb7becc9b499262aaaf2940323cdf479c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES93B4.tmp

Filesize
1KB

MD5
78e89f625284af465e9ea722c48aca4d

SHA1
4950c10514b565c44f2056524dd96cdbbc29338c

SHA256
b81c30776eb375869bad07bb87156e61f9ea5c1bb10a01ded225cfd278c758af

SHA512
e4235304563b29f1b19d1d85e9bfadaa81f5b1e7373fb5d9ddc72fc9a552b2d328e0d4516636da16bc6985d9f0bce7bb434e0e1d1e2b39c9d32333b430f748b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba_uj1nr.0.vb

Filesize
15KB

MD5
e85ee43aa6e2b6255df4ec83789357f7

SHA1
a7b2bd0b868066a7bd062d5b220c44a9ecbcf74a

SHA256
c6529510c10fec966eaf226c0a551de493550e02918d30cecb2138678fbc1b02

SHA512
d1bdac5c86c632cb94e442e7815d3eb1c1b7eceef551b0147e8b85c1ff1d054f0dede2390d366e789cb7f9adaea9f8720c00aaab2d98384c5fa00abb61de5d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba_uj1nr.cmdline

Filesize
266B

MD5
6158305f5786dca2204414fbe9ded7a6

SHA1
c1d10b1cf01a77496875b8865b9d84a40892724f

SHA256
1d68c02ec61d814c90ef43f0cabafa11023baa86cc4f2dde5377a3d2b635f497

SHA512
8219a54200e2bbfcdce18e1aa26c0aa6c222b302f00a0633345c2ce46e03ca756d6fbc59a4a7914fe51d2de4b7715d6ab19ba289fe86533330b979e012670828

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91EF.tmp.exe

Filesize
78KB

MD5
dcba617122f77c6e588a74eafd3f3e11

SHA1
3d04640123b66c9094706fceb14a863b67ba48fe

SHA256
8eddd82644b76379b139b659d0f703e416ee339c17b5feb9367d2aee8769869b

SHA512
27aaba56d52a68237549d61817942a7ab7398664b4ade16e4b8b8c54428cdfd2e66e42ec902fc22ef1106acf30766bbf4fbe1ac9f59101d9e8323adef1a2f244

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB1E7C16C3BC74C6EADE89CEE9BC89948.TMP

Filesize
660B

MD5
af9d5c7d6f5d405f8b7475bfdb58274e

SHA1
5385e96276ab0c44de90fea73cbe487821bb75bc

SHA256
5257a0c452961cb9d9702240b3ad8e7ecf39b453244ce83e8c929cc409aa214e

SHA512
cc0e19e7eec164e851d871ffc8455fb8f32d8d386a2f5ecc0f1ef6ef40b7167e2bbda93ae0bf5f15cd8807299ec7e2889c46c99f85362f5831374ebef5c6ed2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2708-9-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2708-18-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/3924-23-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/3924-25-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/3924-26-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/3924-27-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/5088-0-0x00000000752B2000-0x00000000752B3000-memory.dmp

Filesize
4KB

Download
memory/5088-2-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/5088-1-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/5088-22-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads