metamorpherrat | 67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09

General

Target

67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
Size

78KB
MD5

89acae0ecba8842f2155d1d63206ffb9
SHA1

19504e1af0cca38865d49dedc483874db86f778f
SHA256

67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09
SHA512

2feefbec53cb5dd9868178929bd08b0de9e97f171d0ceed888c5257a3b3ef16a92372d422dcdf1473c8d05fbaaf61a12751aa0be9d1479506440ac00490f7f0a
SSDEEP

1536:XuHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte29/61Ys:XuHF8hASyRxvhTzXPvCbW2Ue29/G

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
Token: SeRestorePrivilege	3324	dw20.exe
Token: SeBackupPrivilege	3324	dw20.exe
Token: SeBackupPrivilege	3324	dw20.exe
Token: SeBackupPrivilege	3324	dw20.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3976	3016	67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe	83
PID 3016 wrote to memory of 3976	3016	67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe	83
PID 3016 wrote to memory of 3976	3016	67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe	83
PID 3976 wrote to memory of 3544	3976	vbc.exe	85
PID 3976 wrote to memory of 3544	3976	vbc.exe	85
PID 3976 wrote to memory of 3544	3976	vbc.exe	85
PID 3016 wrote to memory of 3324	3016	67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe	86
PID 3016 wrote to memory of 3324	3016	67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe	86
PID 3016 wrote to memory of 3324	3016	67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe	86

C:\Users\Admin\AppData\Local\Temp\67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe
"C:\Users\Admin\AppData\Local\Temp\67222424e945f5072a1961572f5e716b93c587ef93a7ed1c9767b66f9e6dec09.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1vpmeszb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8240.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAA4B55CAEA94BCF954A262EB10D0BC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 956
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1vpmeszb.0.vb

Filesize
15KB

MD5
8c42097e2d09148ef39f69320e62fd6d

SHA1
be9c06609c41582160a2b0e8d2454eb9d14d55db

SHA256
d66888cc95fdeefcab013e9ffcc06cd9a4188557714fa4087fc8bb77e69f0d7b

SHA512
4b8b9e20350707a36d1e972f77b1905664b5729e449c639068071136d7037bced8ec57db293e696e479fcdc3c9cac14ed94de70ffb7cbd8dba4b7cdc9a54688f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpmeszb.cmdline

Filesize
266B

MD5
3d76963f59c53964885d09d5746b3621

SHA1
3dc1aa1771238bec88af96e1576ebd7ab6df3b1c

SHA256
85da05944c949899b0a4a4cbd7d17838f0eb49007b4d90a40c8c29671dacd497

SHA512
20038fb022db5334d18d554d61c66ec00521bcd61b0ced5eb7f098c8f0ea2be69106f94276709e5611f1e4525d34f8b85cafe14cd8efb9673565452b2f0b4124

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8240.tmp

Filesize
1KB

MD5
7b5b2643c9d27db940f9f6e7d5364a59

SHA1
70db8afb9e9034c175e850814e5428c8c94653d1

SHA256
421970c44d5fe6ec39407952c719d917b94313ec2430aba8efabe72911b6a730

SHA512
fbc6b58c75465b4c2ef454686f80993e53131858e618db631e66198d536debfaa9f095d2e8bc0495a080a91aa24ec986011dde660b2100edad78d9b17b042be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBAA4B55CAEA94BCF954A262EB10D0BC.TMP

Filesize
660B

MD5
0b24a5fff301fd545229620371c35007

SHA1
038478b4a06b49a2b1972f5e509300c1ea13d2a0

SHA256
ed73a10d931251a4c6d8689d2a86de3fb7b5fd0aa0816cbb83772a8c9623ab02

SHA512
9357e457dacb93ec3af99a55a978d72273172af7e3455ed4c3c155139bedbda146d0841144adee8de1a898bf04e5b172fe4580cc51554e3b0e261446ecba8047

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3016-0-0x0000000074C92000-0x0000000074C93000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/3016-2-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/3016-26-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/3976-8-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/3976-18-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads