metamorpherrat | 12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407a

General

Target

12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
Size

78KB
MD5

9460011b1ecf577107187844257003d0
SHA1

4f4359ba3adf88379408d65ae2a6df8af61385a5
SHA256

12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407a
SHA512

24b39278f066f740695b537051ac1a9fb249617ec8ba35f373426bfd73d7191cf4ed56c2c5030c6d189ca67859df40a2667aba3db4d141aea59734f188b37e1a
SSDEEP

1536:ARCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt/D9/21aG:ARCHFo53Ln7N041Qqhg/D9/2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
60	1032	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe

Deletes itself 1 IoCs

pid	Process
776	tmpB779.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
776	tmpB779.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB779.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB779.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2064	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
Token: SeDebugPrivilege	776	tmpB779.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 5080	4908	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	88
PID 4908 wrote to memory of 5080	4908	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	88
PID 4908 wrote to memory of 5080	4908	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	88
PID 5080 wrote to memory of 1132	5080	vbc.exe	90
PID 5080 wrote to memory of 1132	5080	vbc.exe	90
PID 5080 wrote to memory of 1132	5080	vbc.exe	90
PID 4908 wrote to memory of 776	4908	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	91
PID 4908 wrote to memory of 776	4908	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	91
PID 4908 wrote to memory of 776	4908	12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe	91

C:\Users\Admin\AppData\Local\Temp\12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
"C:\Users\Admin\AppData\Local\Temp\12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hgbalnm2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D4D812358914964ACC275353EABB49.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
- C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe" C:\Users\Admin\AppData\Local\Temp\12b2eea0b70ac72b28576602a3a73a7a6a5e194b2b77d470f311675d3ea0407aN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:776

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkRCQ0IzQjUtQTNGOS00MTMyLTk0N0YtMUFEREEwM0VCMjFDfSIgdXNlcmlkPSJ7ODA3NkFBN0EtMUU1Ni00QjA0LTk0RUItQzhFNjdFRjc4QjJEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzYzNkNFN0UtMjUxNC00NjMyLUI2QTktNDVERjE5RkYwNjJCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjg3MjgzNTYzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB9BB.tmp

Filesize
1KB

MD5
fd4315a0461423c625a7003efc466e81

SHA1
f1bfe6b7cc451f3419b1876a582ba0a47cbd08fc

SHA256
d6107a5cbddefd6f1dd50dd3ff3633968891dd4af7b9bc58d00f665aa62d986c

SHA512
a8cf910d32f70dc4bc6216908c5b6e13d1d3e9c569303f45fd116fbc2f272fdf81e6323108904ac4655ca1de4f31dde9ab685ae333757c4e340684652df35cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgbalnm2.0.vb

Filesize
15KB

MD5
91c3a77dd2e262eb62412e4d5c5f8a74

SHA1
5e0e4dd02b41ddda453ef43d41e9846fdd2c8175

SHA256
40813bce61dbee8f5776082deab55122f425398133963d7b69e722e5f22945f7

SHA512
ec9a5ca6fc36c4ec002ab5ad2183a291a038c06f46adcc1163d0ac990ad21e3d2ccf14c58ed833145b14e665130c4cb5b581f2c4af29574506bec1f6c7fe4938

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgbalnm2.cmdline

Filesize
266B

MD5
223101ff09d5805145d5352b4215171d

SHA1
f26e2b7e975ffcca1003d2d208dc50bb5fb0da67

SHA256
4c18b846dbad718e527fc72deb9a87b2c7104728c7d2cd78ceb911912d00bd2d

SHA512
cf421932375bdf2896546a59e6cb25f3055dcb23a02b7f42cfd44492c9a62889e26e9836be5ee85070304e366ee43e7ee634d4693591d325d431790a6b64adcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe

Filesize
78KB

MD5
cd0f768e4825576e6b39b89957f106e8

SHA1
fc39d7f847b2c08bc7aa5114f4caccf85ef48554

SHA256
ea271f5d9d45b879222e7d98950908c22d527760681124653dbebe7ff87f71c0

SHA512
d1b130b91ef0548bed0067d3945cc751a9577ab65e95767d65a3350f2fb97d6dc2501945b4589a8ac81ac04c457528407ff84aa871ce2c630dea664dbba5efe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5D4D812358914964ACC275353EABB49.TMP

Filesize
660B

MD5
3ee368e42344ea43dcf2f9b51d33ada5

SHA1
15107329a73da9cb48bc1da3ca7e7e9eabad87ac

SHA256
f5da226d16793a963a8a6fe3bbfa8a8262f8d1a0e4c3c5bdffc0cf5890b1ff7e

SHA512
d05c97cf38c2e3382914385584f63f8c00241c777f0f52711a98056dac95597bc93c30a28e1860ecb4600debdbcb90a725c0aaeb5e3c691281521f390dbb2399

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/776-23-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/776-28-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/776-27-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/776-26-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/776-24-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-22-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-1-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-2-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-0-0x0000000074442000-0x0000000074443000-memory.dmp

Filesize
4KB

Download
memory/5080-8-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download
memory/5080-18-0x0000000074440000-0x00000000749F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads