metamorpherrat | 0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243

General

Target

0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
Size

78KB
MD5

1e0e24b8f1b13d94658ea28c5306f295
SHA1

c0e9acfe1125c646e347c80ecdc0d9b03b5628fe
SHA256

0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243
SHA512

4518ad98b02c2b4f1e318436f30fe32bfba6cb7960f84e96ddee5b1b75e0c81d753c5bfb1338fccbec6fc59b57694c6b1f87d8fbd16663964efe609c16e92e6a
SSDEEP

1536:sc58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQts6R9/P1zf/:sc58WSyRxvhTzXPvCbW2UP9/5/

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	tmp9F7C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9F7C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F7C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
Token: SeDebugPrivilege	2240	tmp9F7C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3736	1272	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	81
PID 1272 wrote to memory of 3736	1272	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	81
PID 1272 wrote to memory of 3736	1272	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	81
PID 3736 wrote to memory of 4896	3736	vbc.exe	83
PID 3736 wrote to memory of 4896	3736	vbc.exe	83
PID 3736 wrote to memory of 4896	3736	vbc.exe	83
PID 1272 wrote to memory of 2240	1272	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	84
PID 1272 wrote to memory of 2240	1272	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	84
PID 1272 wrote to memory of 2240	1272	0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe	84

C:\Users\Admin\AppData\Local\Temp\0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
"C:\Users\Admin\AppData\Local\Temp\0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sy7eya4g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA037.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E834774C25344C19B7F7D73D75415C0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- C:\Users\Admin\AppData\Local\Temp\tmp9F7C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9F7C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0fb64bfea5ade41124fdcf89e258c7f57bdd7b5481a5248f7c5356882a8a5243.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA037.tmp

Filesize
1KB

MD5
aa604328d2b8d85a3f55278aed275367

SHA1
fedd378b6ead9bd7d6a7a42b9f80bb336d30c047

SHA256
57e1417c44ab090f9c2b211263309a0fdf153c07e602eff13612e7e58334403f

SHA512
fefde8d18203b3f1e6c00a5061aa7bc728514d75c6f43a570c10ea7db5f3167bc52711f7a5e86b5da7de73919793a74d486596f8a9b7192056518848d1d8008e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sy7eya4g.0.vb

Filesize
14KB

MD5
113b2ba51d4be7edbff76194b4f55d09

SHA1
2e564b266e51fd85f5e4797fbbf3fb168ac2a614

SHA256
e59bd22a1c5d183f9b83185b3e861b5d60d82055e6ac8fe879bccee2171ce236

SHA512
dd181e6e1585149c70114c80cfc079c1c9d5331a04e7a0e308021ad9c95af4a6fe72fe0a6068d1f7d4d3d49b5501b4428dab1e4d34ac85cf4efff0af06ee1d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sy7eya4g.cmdline

Filesize
266B

MD5
43b3c2d4714b244b5ab774ed17345837

SHA1
f040924345a093e00114131457d8b2bb3ca1ba43

SHA256
914d827d627b61e9ba8487a434b11faaf06773eb2ea7ffcb15c1c07942c7b1f9

SHA512
9d2283a4728e742422b8ec927e9262a57ee37e1e1c91b6ce970dac6ee55d726dab79ecd3cd29ece38f7ccbbc0927b9360ebedc16c3934e2ce43e2743915da681

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F7C.tmp.exe

Filesize
78KB

MD5
d0e787e7e89104b9445e1d6688c3d9e8

SHA1
a0834524b1ed18d23675ce201c6b3949715ff69b

SHA256
f58ce52488ef1d71c3800d0ebca21cb516ba068217655a06d0f06e8b5f9e3a5e

SHA512
9d10edf0331344c62d881897150e687edfbb74e13aaa71f86f3f9576a78b628fff3ba6716502554e7caddd66f8c57532399e01f3572906f68e9ef0cc04877f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E834774C25344C19B7F7D73D75415C0.TMP

Filesize
660B

MD5
e59171b3b46cc50fdd312b26739f7051

SHA1
c1c52c570dd7f0c5bf97182a20392ce52486269a

SHA256
581946b1bb033071bfd5132414063e9fcf6da227871b84551c14d571bbe5fe5f

SHA512
2436e2bd107886ad505dc981daec0db7eacde6c9d825c2717c3a6e4390875b54f5992e87566ac34d8d094809f2ab64de1c8cb45b049d1420e651df41cabb580d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1272-22-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/1272-2-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/1272-1-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/1272-0-0x0000000074AD2000-0x0000000074AD3000-memory.dmp

Filesize
4KB

Download
memory/2240-23-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/2240-24-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/2240-26-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/2240-27-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/2240-28-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3736-8-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3736-18-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads