metamorpherrat | c9639ea18ab5b8d22599884c025474dd5d1e8a8b86ce64ef6e7f531861210397

General

Target

c516f4ea1d63d75b0eaf0a1db02a3530.exe
Size

78KB
MD5

c516f4ea1d63d75b0eaf0a1db02a3530
SHA1

f2d3bb4d1d31c315797513b64454d6e12c0a95e2
SHA256

c9639ea18ab5b8d22599884c025474dd5d1e8a8b86ce64ef6e7f531861210397
SHA512

420022d4a20a96f15d10ab59a3de08545149e872637237d7bc3574790bb5e92883bbf449eda5880bb4fe4a59650a1fc0230a69358c846862b612dd2733193ebb
SSDEEP

1536:PuHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLb9/x1JP:PuHYI3DJywQjDgTLopLwdCFJzLb9/9

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	c516f4ea1d63d75b0eaf0a1db02a3530.exe

Executes dropped EXE 1 IoCs

pid	Process
1000	tmp72BF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	c516f4ea1d63d75b0eaf0a1db02a3530.exe
Token: SeDebugPrivilege	1000	tmp72BF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4568	4232	c516f4ea1d63d75b0eaf0a1db02a3530.exe	88
PID 4232 wrote to memory of 4568	4232	c516f4ea1d63d75b0eaf0a1db02a3530.exe	88
PID 4232 wrote to memory of 4568	4232	c516f4ea1d63d75b0eaf0a1db02a3530.exe	88
PID 4568 wrote to memory of 404	4568	vbc.exe	91
PID 4568 wrote to memory of 404	4568	vbc.exe	91
PID 4568 wrote to memory of 404	4568	vbc.exe	91
PID 4232 wrote to memory of 1000	4232	c516f4ea1d63d75b0eaf0a1db02a3530.exe	93
PID 4232 wrote to memory of 1000	4232	c516f4ea1d63d75b0eaf0a1db02a3530.exe	93
PID 4232 wrote to memory of 1000	4232	c516f4ea1d63d75b0eaf0a1db02a3530.exe	93

C:\Users\Admin\AppData\Local\Temp\c516f4ea1d63d75b0eaf0a1db02a3530.exe
"C:\Users\Admin\AppData\Local\Temp\c516f4ea1d63d75b0eaf0a1db02a3530.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3nmk8b8x.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7FF1443C34E4523A124C5217F3C942.TMP"
    3⤵
    PID:404
- C:\Users\Admin\AppData\Local\Temp\tmp72BF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp72BF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c516f4ea1d63d75b0eaf0a1db02a3530.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3nmk8b8x.0.vb

Filesize
15KB

MD5
d99fd90f3a48ff24c6ac04f0bd7f2f71

SHA1
9213634613e3efa7f1e424f5c4b5242b69048aad

SHA256
13ba98f4e406248a2f6ea757e8ec6f97ab24a18b8f484c4dea6ae25e5dd52755

SHA512
2297af6bfe831f735356f0e1fd0a9744fdd2fc901f11a1fc7ffb9d9fe225d83212c678cf53cff2670ca4943db259e198fbf3b0a87ba540a54afc560f9435b147

Download Submit
C:\Users\Admin\AppData\Local\Temp\3nmk8b8x.cmdline

Filesize
266B

MD5
2b3e0b80ba5c1e934f3d601e6d40e8ae

SHA1
2044b974f21f5a8b65bd793196de803824cf4fa7

SHA256
1cc564828271a1aebf0547db017f1f8ca59f801ad5adb83398e04bf06b31bdf6

SHA512
ca06ffa67ec32055b2420c87e08a66bca536479294aaf81230ee1ec474ee22f585cd0e5d5b034b3a70fe88fd6d2d23804ce3da945ca84c70995446781683f255

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES73F7.tmp

Filesize
1KB

MD5
705ca81b92579b47bf5cc0b91b93b5e9

SHA1
aa7fa0c4c81bd33654daccc88b99fd7417aacdd5

SHA256
0396eb6026967b5b776ecf67ec6ca534bc5feef313d0c2b28ac4a6b7057e56e3

SHA512
884995ee64d6f50979757307d074a1920da516a3bfd70cc91fed6e84b5702dae80d1636eb5319ee3d63c62c855251d337247f9d7b4e50cb5d0a32718b9ab83f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp72BF.tmp.exe

Filesize
78KB

MD5
39f6b22eec84695497d0ee79cabb6033

SHA1
5f2eb2dfa1e6af3c782892a72ac23ddafd4f31c9

SHA256
4ed6e5237250c07ab7e4aa10a45fe4b70c08c0c15c0b474fed5ab004a6c1e067

SHA512
f666e0f89c0395be5edbaa57ec000b9854cfbc4cfc949ff58c640c102bbff3379695c38737b60222a3701517d54f293eb656f07e71ac85fe4383661c6f2fcccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF7FF1443C34E4523A124C5217F3C942.TMP

Filesize
660B

MD5
d87a4a60d01302ba42552486b597f547

SHA1
e1dc2c21e36182980a37ea8a8019bf20e6d5c9c5

SHA256
64db0789c364f98b5d333ef0bca3336f7eff287002294c4f1a9d9a720d83f006

SHA512
de4cf4646c9142358bfa6783f3ec3f9a2a2f03ab69f723af2c46af6023cd37cf82862bbd9f02b7d7495c47fa978e6fdbbd6750a060478f7198b1edb4d741ecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1000-27-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/1000-28-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-29-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/1000-25-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/1000-21-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-23-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/1000-26-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-24-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4232-22-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4232-0-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4232-2-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/4232-1-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4568-8-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing