metamorpherrat | 2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41

General

Target

2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
Size

78KB
MD5

9a248e1ed8a6f4e616ec49615b579988
SHA1

fcf296baaae3d6084da8702e0d9b5ab912e74dd3
SHA256

2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41
SHA512

664ad10f23deba3c07d111f29daad0155fd27bc77170c44199a5e7ccf44c6184b92f41eaf31cfdbea65b3ee2a59331ad2c82f90f4408348aed53d4d3a6740c91
SSDEEP

1536:dRWV5jWXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96j9/w81GNL:dRWV5jeSyRxvhTzXPvCbW2UM9/eL

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe

Deletes itself 1 IoCs

pid	Process
3508	tmp78F9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3508	tmp78F9.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp78F9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp78F9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
Token: SeDebugPrivilege	3508	tmp78F9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1028	2548	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe	82
PID 2548 wrote to memory of 1028	2548	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe	82
PID 2548 wrote to memory of 1028	2548	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe	82
PID 1028 wrote to memory of 2336	1028	vbc.exe	84
PID 1028 wrote to memory of 2336	1028	vbc.exe	84
PID 1028 wrote to memory of 2336	1028	vbc.exe	84
PID 2548 wrote to memory of 3508	2548	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe	85
PID 2548 wrote to memory of 3508	2548	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe	85
PID 2548 wrote to memory of 3508	2548	2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe	85

C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
"C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cmqiblhk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ACD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6563718261F945E29E5FD95FF5B1DBF6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336
- C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bbe56004f762a3d176f7493d15081c5f78d59641b7484097082536533918c41.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7ACD.tmp

Filesize
1KB

MD5
15affaf14ff166685f17d50208dd5e72

SHA1
353950b3fa0e04f1a922f9b53d2fd0a37f394c67

SHA256
9c1ec541994d0e9f8490896d7206e2d555a8739dbc06b4b7b802e35dfc8827e2

SHA512
924193196fba6ad59f02c6d01367aa039dbc0b6d6c1b5516dd55ae0eae25a308bf52cc1178c2b7a32c4ef1b1942b4b1761edfea8493161279767ee4973475745

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmqiblhk.0.vb

Filesize
14KB

MD5
0668102ed0c2dd16fd7c5f3a92cce376

SHA1
759b157c38c37981ce518b9e0067b6e10b36c557

SHA256
990b323423ce649e01676867ebc8c42db95cecdd360c7acd318e4245dff18b08

SHA512
d11520e733421361c08ea45c3c9c89d7ab1bfce2e5aa7058e29e3e154b7b2073e5d9de2c6b8b53647679307492a3b3d404a8e16020a0990fa392c00c6f3c2fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmqiblhk.cmdline

Filesize
266B

MD5
6b48f249fa466be9ac83584d725f7f78

SHA1
e682de49821b17b19736dae1047275900d503918

SHA256
e6ad2257aa6a92ec1416ae971bc13cdee6a75ea81ab43b1fb556ea61c4e125b2

SHA512
993fc45ea31944e2604e6f84ca81f7aa1b55b67fd51aea053c463d592a1c258dde74dacf1088e933e54c5205222d73f153b157168797729ac4aef3c79bdf36f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe

Filesize
78KB

MD5
a9ac8bf17727087436a959cb8ed73c45

SHA1
a0c810ff2412d4fa082baeab15fef9c0ef27d409

SHA256
b4da84813db145d78c67ed01bb523437aeb999970300a1f6f59e7cc9712fa45e

SHA512
a6f060cdd0c19bdc3022c49a5754e20a0b9b547fb14a51f4964bf70baa77f4a3cc033d4791f525011e502a23e7bc09806eb2b94b47dcc6d22889f75f548c0603

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6563718261F945E29E5FD95FF5B1DBF6.TMP

Filesize
660B

MD5
628e0dec4f1672d006228ce215577a39

SHA1
d38c23bc36d7af23228d93347e5cb8bd522aa77f

SHA256
f293a6579094bfa8c596db31d40a9d70f29f345ebb388e8311ca2901ef77efc5

SHA512
93511bce3d8fa6d62420ad17eb26202beed60a01233dc32e41c0d13fd358a107e541564c74cd1edbc0cb9a793529171ca37878c3fef885018c523f9f5db0d465

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1028-9-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1028-18-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2548-0-0x0000000075162000-0x0000000075163000-memory.dmp

Filesize
4KB

Download
memory/2548-2-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2548-1-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2548-22-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3508-23-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3508-25-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3508-24-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3508-27-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3508-28-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3508-29-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads