metamorpherrat | cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842

General

Target

cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe
Size

78KB
MD5

794f6ac4345e8e89b7dee7276654a190
SHA1

ffd2a50541d35461d2f4e0ae7d6964a9e77fd20b
SHA256

cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842
SHA512

a8f42f271cce26aa7d5918d89cb22e95ed267fa26076068a87f59b36ef4e3f4a1a5c8fdf7ec42771e7d3c1895b9c6c67e3e14a1b007d33b1a8b3d6fa0e5b58e2
SSDEEP

1536:vWV5jSJXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN609/Bs1T/:vWV5jS5SyRxvY3md+dWWZyf9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe

Deletes itself 1 IoCs

pid	Process
1120	tmpBC1C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1120	tmpBC1C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpBC1C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBC1C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe
Token: SeDebugPrivilege	1120	tmpBC1C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 4716	3136	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe	84
PID 3136 wrote to memory of 4716	3136	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe	84
PID 3136 wrote to memory of 4716	3136	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe	84
PID 4716 wrote to memory of 2220	4716	vbc.exe	86
PID 4716 wrote to memory of 2220	4716	vbc.exe	86
PID 4716 wrote to memory of 2220	4716	vbc.exe	86
PID 3136 wrote to memory of 1120	3136	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe	87
PID 3136 wrote to memory of 1120	3136	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe	87
PID 3136 wrote to memory of 1120	3136	cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe	87

C:\Users\Admin\AppData\Local\Temp\cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe
"C:\Users\Admin\AppData\Local\Temp\cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\niuetq4w.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc614B21A2E8E04E9A872BED1F4955136.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- C:\Users\Admin\AppData\Local\Temp\tmpBC1C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBC1C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cb9aa29fc2138de807891b529a07ce61d2ec32ec63176b463fed5425af5bf842N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBDD2.tmp

Filesize
1KB

MD5
565ed949e752f583ebbf4e527428dbed

SHA1
f0d0da311a361bbf8616ecdc53bf200fe9cf5c29

SHA256
71ff2317725bf6bcc4b2a8a07fede29e7c25391803550f85c78271462f05bc0c

SHA512
8612f6bcd686ce27c5480667427969bf36fb4408f3c283db0b0e6873e8f0094ae16630c5d6f0dcec4a7e3819ea007e4060bdbf4dd565757959c952d368b2813a

Download Submit
C:\Users\Admin\AppData\Local\Temp\niuetq4w.0.vb

Filesize
14KB

MD5
806e3885d02a4a4d16e2b4bcee21c8c3

SHA1
3727936be1876370802b7e25df202be05552cdfa

SHA256
ac1d0737ba09eb74043378995223d71c3e4d3d678a76601a1cf6d4c8a949e182

SHA512
2e9f2656809ada9b0b7ca93521d351f68f7bfe0b21b4731e69b69c768ef397fc9124b64752b82a6ca865d36dc222c061e4ab8c4eecb7ead9042ec9a699274a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\niuetq4w.cmdline

Filesize
266B

MD5
686e6069d0a25e4f932ae24d39f1988a

SHA1
de69e641286c27cfb07e090ad29c572ada0c0a6f

SHA256
e9d8b02d54e90521c154c8da5d8212d8d09da9a78be37cc75785113c80faa919

SHA512
f815829f66d552b12905f286590a45889b3eef2b08051b96486084a38f6a21b1acbd687131b626e15d3191dae394755f85dc203612c9971ead0bd4579199d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC1C.tmp.exe

Filesize
78KB

MD5
fd00213a69126ff2580eb2d9e09bdfd1

SHA1
314d5a66e03bffa0f1247874b120f2422e44f1a1

SHA256
fce96b8ea687fd8b99f784787f58ec2fe785a0251e15fb1ae6cabe30c85ddea2

SHA512
1b0b33d11d28f4e47f985e2d55d41e9bfcb8f35741927525d9656e42ce300905c175e57d9216c39d043b9c0c0d4055a8be7d48ba20efa76c8ccc90e184e58f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc614B21A2E8E04E9A872BED1F4955136.TMP

Filesize
660B

MD5
8755e898782363bce7dfdbf3873aefd3

SHA1
d67b328b8faeeffd7e0d0182c8d2e806e4707fbc

SHA256
f697d2acdfb0948a8b3d7fa3de006d54f4b501ad4187cb791fe42fe5a96aef1a

SHA512
f2e8678b2fec6585e96efcf88398d4c0bf6f014502c406dfdd47af1410d08dcf49a0fc3a1430c323c2607de91a53229ff401b088b43f84213e73b072da6296c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1120-23-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-28-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-27-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-26-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-24-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3136-22-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3136-1-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3136-2-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3136-0-0x0000000074692000-0x0000000074693000-memory.dmp

Filesize
4KB

Download
memory/4716-9-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4716-18-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads