metamorpherrat | 82034508e6639dcbf9bb36c028e7b35ad271779a242870a3839ee148b4ea9305

General

Target

NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe
Size

78KB
MD5

004c34856806b862f88d96f92c46ddb0
SHA1

247e797d9e8f8e22a4856bffba868815539b8c2a
SHA256

82034508e6639dcbf9bb36c028e7b35ad271779a242870a3839ee148b4ea9305
SHA512

911274d17ca625b42944b6d4e5368c35e4696608203d76bfe2252a4e2d0eeb3582ed7e67a617ff1cfaa802dc998fb4321224009f0887913f2ee8bb0325e59999
SSDEEP

1536:GPCHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtx9/L1mr:GPCHYI3DJywQjDgTLopLwdCFJzx9/6

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe

Executes dropped EXE 1 IoCs

Processes:

tmpFA3E.tmp.exe

pid process

1688 tmpFA3E.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NEAS.004c34856806b862f88d96f92c46ddb0_JC.exetmpFA3E.tmp.exe

description pid process

Token: SeDebugPrivilege 4140 NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe
Token: SeDebugPrivilege 1688 tmpFA3E.tmp.exe

pid	process
1688	tmpFA3E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4140	NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe
Token: SeDebugPrivilege	1688	tmpFA3E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

NEAS.004c34856806b862f88d96f92c46ddb0_JC.exevbc.exe

description	pid	process	target process
PID 4140 wrote to memory of 4508	4140	NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe	vbc.exe
PID 4140 wrote to memory of 4508	4140	NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe	vbc.exe
PID 4140 wrote to memory of 4508	4140	NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe	vbc.exe
PID 4508 wrote to memory of 3948	4508	vbc.exe	cvtres.exe
PID 4508 wrote to memory of 3948	4508	vbc.exe	cvtres.exe
PID 4508 wrote to memory of 3948	4508	vbc.exe	cvtres.exe
PID 4140 wrote to memory of 1688	4140	NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe	tmpFA3E.tmp.exe
PID 4140 wrote to memory of 1688	4140	NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe	tmpFA3E.tmp.exe
PID 4140 wrote to memory of 1688	4140	NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe	tmpFA3E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnqv9_a0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF3D484D85E4C119918FEF9FA804FE.TMP"
3⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\tmpFA3E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpFA3E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFDF7.tmp
Filesize
1KB

MD5
f24fcde49b8134e463e320ce923824f8

SHA1
f922b1ef9431dcdbd7113483b46c9d98a40b047c

SHA256
e80e4638866646063287dcaa0f4fae6b7ef529f33d34c600f71ace0a948d10e8

SHA512
9c8424d225b2287a92b3859970f7de1db1213e8775cb6adffd112f9cf49222022634decc7072a170f827f9ad7a10976653c6dcbe97f867bd47e3964adfdab7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA3E.tmp.exe
Filesize
78KB

MD5
b0c946eece54c09881aeebcf2627601f

SHA1
b932d3adb5b6c1f2d327c7ed968a46c1dec0e666

SHA256
f550664b295624b4df6d84311d64a1c5e5bff064612fc40c1b83722e70a81dbf

SHA512
e3b3bbca2774d59fefc09e48e474e1b2a9e21de773586132204875c71446fde93464106aa0271997e381ab5c2547b0d32e39bf5e20b5054a8edb879fa428fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA3E.tmp.exe
Filesize
78KB

MD5
b0c946eece54c09881aeebcf2627601f

SHA1
b932d3adb5b6c1f2d327c7ed968a46c1dec0e666

SHA256
f550664b295624b4df6d84311d64a1c5e5bff064612fc40c1b83722e70a81dbf

SHA512
e3b3bbca2774d59fefc09e48e474e1b2a9e21de773586132204875c71446fde93464106aa0271997e381ab5c2547b0d32e39bf5e20b5054a8edb879fa428fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF3D484D85E4C119918FEF9FA804FE.TMP
Filesize
660B

MD5
747e6446aa2c5dd92fbbe7020e0b9da2

SHA1
3a0e068bdcbca003a7af806af9d315969c2be3bc

SHA256
b11c951756fca5f4f0e693ad8174ac98dfdaafbae33f39611f1bacb65bb786dc

SHA512
208331cadb681a753766a21002cd8185525a8f46897bda0b422bc3cc2985518cc77161cc313698f5f8baa53a8239ea7ab83db0a35c0e24e555b25d3b99437ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnqv9_a0.0.vb
Filesize
15KB

MD5
c36a2d260e05a7b74d96ee36f35afab0

SHA1
2e35ab7918a4e8128666437afa29838983098e50

SHA256
a3dceda8ee100a463ba5a2160528b8354e679d5df110b749762c909bcbe1ffee

SHA512
ddf2090b8b284f492f0d0f7293141626b09f879fdade1c7b8f4f8d6c11c930120ea5c76d1f7669434688cb5c7080e9876f5cc5b492e300b97c42a36180037dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnqv9_a0.cmdline
Filesize
266B

MD5
92faac6945dc365074faf18a0d31d054

SHA1
230c211395c3d3369e3660fcb55284f530e11df8

SHA256
288dc07212640a56820e68c1589da0309544251377a396dcb92f18deaa1e96a9

SHA512
2745a30a830871e2ee742c618e2f97bac8ce16582e97272649b8154df106ee35733f7afc4e3adbbcf0ce3841dcf670d6eaad2217d879fa90013626a0161306be

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1688-25-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/1688-23-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1688-26-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1688-27-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1688-22-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/1688-24-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4140-21-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4140-0-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4140-2-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/4140-1-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4508-8-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing