metamorpherrat | 0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc

General

Target

0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Size

78KB
MD5

0df3110a86b2ad893c527cf4cf89cfc8
SHA1

c2742c7fff7c3203a89fbf462ac7f15a1a8b0fde
SHA256

0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc
SHA512

2849e5b61120f8f90e7ec17be598bfb8308442a2c073e0cc7fd461649732c86cb7b411fb162230c7674390ad320954ef153b82a6d6688c7e0f31826799979ee8
SSDEEP

1536:GHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtS9/V1evZ3:GHshASyRxvhTzXPvCbW2US9/M3

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe

Executes dropped EXE 1 IoCs

pid	Process
724	tmp79A4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp79A4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79A4.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
Token: SeDebugPrivilege	724	tmp79A4.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 4060	2988	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	82
PID 2988 wrote to memory of 4060	2988	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	82
PID 2988 wrote to memory of 4060	2988	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	82
PID 4060 wrote to memory of 2312	4060	vbc.exe	84
PID 4060 wrote to memory of 2312	4060	vbc.exe	84
PID 4060 wrote to memory of 2312	4060	vbc.exe	84
PID 2988 wrote to memory of 724	2988	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	85
PID 2988 wrote to memory of 724	2988	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	85
PID 2988 wrote to memory of 724	2988	0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe	85

C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
"C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1mvhwghp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF0938EE3A4494E9CBF1B683CA85CD4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- C:\Users\Admin\AppData\Local\Temp\tmp79A4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp79A4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0be2d953c7455a3aa1ce2a6c4a5ba127575a64fd7af0802bc4f949cfe6eae8dc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1mvhwghp.0.vb

Filesize
15KB

MD5
e811366df5a8415d6d7ad9371897e696

SHA1
1268e9e99726dcd17b5fb6be89760768065149d3

SHA256
9f08d5d4861979442e4fc2969f4f84732cc8e2e56fd6cddd0050f11a8443a19c

SHA512
ea779b87dd05c3c107a8b71905fbdbef187ae509e3f3c21ce511f7651c054081363e4c7cdf23341edc835d8414326107f3bbde65d80d393a067860a8bb610ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1mvhwghp.cmdline

Filesize
266B

MD5
16432310495a96b048455be881043359

SHA1
48cc53a355864d824faac1a961472a6a21b8f644

SHA256
13c4ead1d5537c7e1e9132e506d08c5c1ec0e5c70080664c16382e4414106323

SHA512
4e458675b9d399d34ae8b7c927a81a8947baf62c69e39ad98c852faea2311a08f41718901c65219ff1672ef16d0d7b088ce23b10bcf47eb0c34c357daaefae38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp

Filesize
1KB

MD5
8d885cb9b2bab7a5802617bfd26596c0

SHA1
950da5e2e6441c3fec4bf0f5e4735e5b3d8b5ec2

SHA256
d16375f0de1678a42b8c54486a8b513da5bb995327854801af659b3d779734e3

SHA512
0e2a46c3c2759d649c7bc3c064345ccaa2c9187aeafd230084db9ec2fe7b93c049cb9800c5fcea2b5d9ae9763fbbd21f0aa87e2712c0d415cead2863c62c5251

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79A4.tmp.exe

Filesize
78KB

MD5
e21850654c611acbb8db5c0674859af4

SHA1
38d39ace0087cc5647181bb5e78035950316a05a

SHA256
0102ae34018c3fdce7967a2bccf34dbd465bdc67c8346f1e3e5920444adf8486

SHA512
f86a4239aefabac0c796d747f8f9f725aed4e59ac8e610739a983f4d9e6e0ce352cbbf33336410dbf826346a90519eb6ae50479bbab497bab3e4163d41b818ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF0938EE3A4494E9CBF1B683CA85CD4.TMP

Filesize
660B

MD5
8de1d4aa59f71de7697298bac1718193

SHA1
0900bd33301eb4bf18472f847b57046baf858dc1

SHA256
4ae76c4af8633c282b1d3b30152f2d162f7c180571fe0422f44c458b88f57c7b

SHA512
91bad98417f1cfa422e275e3b49999e5484cd0e68ec23862e011df6e25686d21037b233d2316485dcc3b629411c6ba18db190b87fa025bdb41e48ee041d29871

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/724-23-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/724-24-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/724-26-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/724-27-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/724-28-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2988-2-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2988-1-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2988-22-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2988-0-0x0000000075452000-0x0000000075453000-memory.dmp

Filesize
4KB

Download
memory/4060-8-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/4060-18-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads