metamorpherrat | 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a

General

Target

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
Size

78KB
MD5

ffc69516a66858e500dcc05a39fa3d78
SHA1

806791dd76c2419e5c1ee1c61f661babf2d2bb83
SHA256

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a
SHA512

fa1e052c94236ffdcecadce525a29af2fa6fa6eb48b03f6e9254e1ca36a88ec7c3c7dddbd1e9bce5d4338da5da164870408f03a14111577ad2702fb2fe2ed081
SSDEEP

1536:cRy58MpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd69v9/S1Zm:cRy58iJywQjDgTLopLwdCFJz+v9/D

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp6513.tmp.exe

pid process

4972 tmp6513.tmp.exe

pid	process
4972	tmp6513.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

description pid process

Token: SeDebugPrivilege 4836 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

description	pid	process
Token: SeDebugPrivilege	4836	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exevbc.exe

description	pid	process	target process
PID 4836 wrote to memory of 1364	4836	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	vbc.exe
PID 4836 wrote to memory of 1364	4836	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	vbc.exe
PID 4836 wrote to memory of 1364	4836	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	vbc.exe
PID 1364 wrote to memory of 5088	1364	vbc.exe	cvtres.exe
PID 1364 wrote to memory of 5088	1364	vbc.exe	cvtres.exe
PID 1364 wrote to memory of 5088	1364	vbc.exe	cvtres.exe
PID 4836 wrote to memory of 4972	4836	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	tmp6513.tmp.exe
PID 4836 wrote to memory of 4972	4836	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	tmp6513.tmp.exe
PID 4836 wrote to memory of 4972	4836	852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe	tmp6513.tmp.exe

C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
"C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jzoh3uur.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6810.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DBA710F7A446BB969E577A4A696D9.TMP"
3⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\tmp6513.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6513.tmp.exe" C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
2⤵
- Executes dropped EXE
PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6810.tmp
Filesize
1KB

MD5
d32a654c863c2a258fc3fe63d0997c2d

SHA1
0ff5828268b24e8f000ebefed1dc069e0ac64662

SHA256
8f515fcf08a897b8b9f38dd2a84b7d5c82a9cd8f0c426c561924220b4c8123be

SHA512
2bb522c23d151ea86ca538070b6b37e313411c7a3929209dab470d079867129d1ef65a6386dadabe8d659225e4455cfdcad543d4500e5448bd4a144d5216e359

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzoh3uur.0.vb
Filesize
14KB

MD5
f3da7612a6ec93610602785e4746bb44

SHA1
a5bc44a5ffc805136eb71cb9570c4dc0ceb58337

SHA256
01c48d38eb57140ea3507cd0ca18c6d262057ca0bfaeffc976ae241978420bcd

SHA512
adebc416ea34a7a2f8d8b137665fd65a078f43d3c53f14b125cdb4d6ad47d7b684293a92947a84e3287130403eee217b61f2ff136ad62e13d0a2ffe3aa633f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzoh3uur.cmdline
Filesize
266B

MD5
381b82b48c80eb0714bfc842826987f2

SHA1
d847064c71e9d27d965979dbf0d12c882ec2bbfe

SHA256
8d2a073fee6da602737f4333ace0d0c09d2af62b9ca25ed7b365ca61818dc687

SHA512
e2fdcc35ee588ee084bc1a278450a6820ac3f48fef030e6e9190d918c1977b4f5631dd0bfd932f10c9566ccca8bede3788b40ae768bc9958ab8dd4ba305b2275

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6513.tmp.exe
Filesize
78KB

MD5
e53c98b461bf0554290b4f821c1a8a34

SHA1
43b1e42617b2d5e2b6204c29fd4c3596714d61a0

SHA256
b27c35a4c0a9706c6e19757b9b356d47ad2a81ccea71d6f04edbd470d85e6947

SHA512
d1e05f0b8164d285744dc22fe2e75715ae2c7fd2c19e1d7ab0e05076fa3d094cb576e8798261e1bdb91982ebf365ddd213ee2c71881762389c7b799715ac4ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6513.tmp.exe
Filesize
78KB

MD5
e53c98b461bf0554290b4f821c1a8a34

SHA1
43b1e42617b2d5e2b6204c29fd4c3596714d61a0

SHA256
b27c35a4c0a9706c6e19757b9b356d47ad2a81ccea71d6f04edbd470d85e6947

SHA512
d1e05f0b8164d285744dc22fe2e75715ae2c7fd2c19e1d7ab0e05076fa3d094cb576e8798261e1bdb91982ebf365ddd213ee2c71881762389c7b799715ac4ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DBA710F7A446BB969E577A4A696D9.TMP
Filesize
660B

MD5
0a48610a7ca254fb4cc12faac5fa0c1d

SHA1
e2e12de715deae6e467b74035c4a6c83d81f7d40

SHA256
322401b198ac8e49dc53b8a740c1c268670612ec9cc3d7235d24cc69664d3fc3

SHA512
0ff6c1227945f59b58f6057e3fe1538494d443c71f59dd09aa651589c8491b53247bdf1ad8bb454e5dffcd2d0f96b0965e84cf0036b902cb9dc8fe448f5b55f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1364-133-0x0000000000000000-mapping.dmp

Download
memory/4836-132-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4836-143-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4972-141-0x0000000000000000-mapping.dmp

Download
memory/4972-144-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/5088-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing