metamorpherrat | c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9

General

Target

c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
Size

78KB
MD5

85033b49c9ac41e0c9bf581ab2bcb550
SHA1

de84c29eae054377ff594acda306def1448d3ce6
SHA256

c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9
SHA512

001609c9190f506833a56bf273bc62bbfe2a5b7692275e0eda543599f9d55cf1584023ab87fe5e5b4e2d63951f25d505b8f949645e7a33b5473714d826ecae26
SSDEEP

1536:OPWtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtS9/K1+m:OPWtHFon3xSyRxvY3md+dWWZyS9/y

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4328	dw20.exe
Token: SeBackupPrivilege	4328	dw20.exe
Token: SeBackupPrivilege	4328	dw20.exe
Token: SeBackupPrivilege	4328	dw20.exe
Token: SeDebugPrivilege	4804	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4328	4804	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	83
PID 4804 wrote to memory of 4328	4804	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	83
PID 4804 wrote to memory of 4328	4804	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	83
PID 4804 wrote to memory of 4892	4804	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	85
PID 4804 wrote to memory of 4892	4804	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	85
PID 4804 wrote to memory of 4892	4804	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	85
PID 4892 wrote to memory of 2660	4892	vbc.exe	87
PID 4892 wrote to memory of 2660	4892	vbc.exe	87
PID 4892 wrote to memory of 2660	4892	vbc.exe	87

C:\Users\Admin\AppData\Local\Temp\c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
"C:\Users\Admin\AppData\Local\Temp\c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 436
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tb5ck6gx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES827E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC23C1357E4A7438695815C9E9E7FC9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES827E.tmp

Filesize
1KB

MD5
3b2edef698454c83dba89e245e3a2e08

SHA1
41f2e8fa6eebc7e8d621a2686a799d5c81b869ae

SHA256
fe763844ec2853f6671f66e9053072af301d75a008258a7cd060097870b0e380

SHA512
e4a2390990e25400639b7fd41296ebb727cd2091380dc3305a9149f90246ed13334912a7a6fb9a64abcc56a84cd3089e3a2dd2940e22ebf0c0af9e443c3090b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tb5ck6gx.0.vb

Filesize
15KB

MD5
36aad9bd42712728208bab5e7462c1f6

SHA1
1d5180f9f3596e20f6fb4652c1166790e19219a1

SHA256
c697ba1cd2bab6faa127b085699c4a9ee57656d70d874f9b81253c1c6522bc02

SHA512
ff5c531da02bfa02d6505135568c969850697f200899239f64a6202f16550e97e5876d6c49d965f5b91a5027ecea32db7b90d55fb30e174b8d508d5e70f48079

Download Submit
C:\Users\Admin\AppData\Local\Temp\tb5ck6gx.cmdline

Filesize
266B

MD5
52ae759b2b10b84fbd09d220b024547f

SHA1
20ad900d2620aa4a2e5b5e87cc92a9622629b560

SHA256
f779cda8125ca7e63be3cb59e4d76441471f9085f5fe7ba0872c5ea2869adf82

SHA512
723fbd8fb8668a6c9f66c7d2019c4147010c2518af48e367009afdc3ccccc30e4d4a28625f7e328bd582255b88d3c228973bcd0ec4b97a9a11f332e7f50a1a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC23C1357E4A7438695815C9E9E7FC9.TMP

Filesize
660B

MD5
0b24a5fff301fd545229620371c35007

SHA1
038478b4a06b49a2b1972f5e509300c1ea13d2a0

SHA256
ed73a10d931251a4c6d8689d2a86de3fb7b5fd0aa0816cbb83772a8c9623ab02

SHA512
9357e457dacb93ec3af99a55a978d72273172af7e3455ed4c3c155139bedbda146d0841144adee8de1a898bf04e5b172fe4580cc51554e3b0e261446ecba8047

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/4804-0-0x0000000075232000-0x0000000075233000-memory.dmp

Filesize
4KB

Download
memory/4804-1-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-2-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-15-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4892-14-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4892-25-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads