metamorpherrat | 551bc2bb30074ddca44e435ab475d51497f51ad7bb81c011c3e3f21ed618fad0

General

Target

e08c72efa7445bed749b9ae18f8ee52f.exe
Size

78KB
MD5

e08c72efa7445bed749b9ae18f8ee52f
SHA1

b6fa45dd676ed0ab33d1c53985b18bd2fbb8026a
SHA256

551bc2bb30074ddca44e435ab475d51497f51ad7bb81c011c3e3f21ed618fad0
SHA512

58fe460dd77c8fd8788ab663edb99685e3db75cac33f44d5f87a3b038ab50545201d5e5e0d2039e00dc4d4ca88523916e366505b5274d87f5bd227c4956d0110
SSDEEP

1536:avWV5zpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6P9/lmC1st:EWV5NJywQjDgTLopLwdCFJz39/kH

Score

10^/10

metamorpherrat rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	e08c72efa7445bed749b9ae18f8ee52f.exe

Executes dropped EXE 1 IoCs

pid	Process
1556	tmp824F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	e08c72efa7445bed749b9ae18f8ee52f.exe
Token: SeDebugPrivilege	1556	tmp824F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4932	4148	e08c72efa7445bed749b9ae18f8ee52f.exe	96
PID 4148 wrote to memory of 4932	4148	e08c72efa7445bed749b9ae18f8ee52f.exe	96
PID 4148 wrote to memory of 4932	4148	e08c72efa7445bed749b9ae18f8ee52f.exe	96
PID 4932 wrote to memory of 2276	4932	vbc.exe	98
PID 4932 wrote to memory of 2276	4932	vbc.exe	98
PID 4932 wrote to memory of 2276	4932	vbc.exe	98
PID 4148 wrote to memory of 1556	4148	e08c72efa7445bed749b9ae18f8ee52f.exe	99
PID 4148 wrote to memory of 1556	4148	e08c72efa7445bed749b9ae18f8ee52f.exe	99
PID 4148 wrote to memory of 1556	4148	e08c72efa7445bed749b9ae18f8ee52f.exe	99

C:\Users\Admin\AppData\Local\Temp\e08c72efa7445bed749b9ae18f8ee52f.exe
"C:\Users\Admin\AppData\Local\Temp\e08c72efa7445bed749b9ae18f8ee52f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jzmzllew.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8397.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc923877E16F7D40628B43BBB9FC6AF55.TMP"
    3⤵
    PID:2276
- C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e08c72efa7445bed749b9ae18f8ee52f.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8397.tmp

Filesize
1KB

MD5
c8edf8567bac6ef2f6adfc6f7a3bfb87

SHA1
300bb9eb00621683b3749f7c82e126f8ae8630bd

SHA256
d1722fdf65f8bb1eaa69208db15e0b8e1205d653ee8d1bdbbb78b01893bb844f

SHA512
6cbbec0c2c1e6921f27ea570568882e5289e22878adff7ed331e1a8944a46d66d274ec98c2b53a64149b6968650842c6760189eecbd17665197c37049af40892

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzmzllew.0.vb

Filesize
14KB

MD5
96aab1b67ea5d98d60eab371abb81dcd

SHA1
f58a878285c0fb1643691ca8275f2f8f75270ae0

SHA256
2f9441a39a892b0db3c25c1d5e8f3db5e1cefc1304a5fd5217ff7111ddac6d30

SHA512
54445fab7500f444010cf3d7fb9fc06863d8686fd6f459c499317afcb39343b677724303612aef66140bd6b8bcb76c369964c0715026997f205fb83c1eb7d0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzmzllew.cmdline

Filesize
266B

MD5
9197f8ecd17746115c41da25656eab83

SHA1
b62ed62e2239cb0adb42cef01039a92f4e32d878

SHA256
fe11b4d2ec3f962b20bef754a580f4036be537a3c8349bb882f80de4ced041a9

SHA512
5e3e0443c5529e5804977f90d6707acfcc570beccaed76f7a1298a031484f5a4a80a9f3920ebb86dd6fe919f8f878cb5d1877e4b101b686469d7d5fab840e619

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe

Filesize
78KB

MD5
f9331e2aee92c0d05b65f60703c5f851

SHA1
06da5503b8b287e37a1a36c2dbac14b77cc20abb

SHA256
c2b8e8ad671ae40b96e0b2bbfe2ecd5194d5ae0469b349f8d375a1713be2c324

SHA512
222c72bf4b6f334dc7d74e18ba46c1e1579f5d347fcc212e6e9a431b155f1216f1a7916b3d05135a9e9f7ac23116d3c8b75dee988985ba9cd5f272109a123a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc923877E16F7D40628B43BBB9FC6AF55.TMP

Filesize
660B

MD5
4972f4c210ba991f291f5594efb574a6

SHA1
5fd4898cb465cca0c7e59107872b3d4a879c3522

SHA256
b078ff6201a7e2d2ca7a9c15d601652242ffdc2c1f0b1f4f61d64c12cdc41874

SHA512
0380715c8fba2fca440927da9c0341016345b553ae98c6a09344c5ebf4ce20d8bdd479c616588f05e398db801836b8d6c79f671b806793c6ef192717188458e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1556-23-0x0000000001850000-0x0000000001860000-memory.dmp

Filesize
64KB

Download
memory/1556-21-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/1556-24-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/1556-25-0x0000000001850000-0x0000000001860000-memory.dmp

Filesize
64KB

Download
memory/1556-26-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/1556-27-0x0000000001850000-0x0000000001860000-memory.dmp

Filesize
64KB

Download
memory/1556-28-0x0000000001850000-0x0000000001860000-memory.dmp

Filesize
64KB

Download
memory/4148-2-0x00000000019B0000-0x00000000019C0000-memory.dmp

Filesize
64KB

Download
memory/4148-1-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4148-22-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4148-0-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4932-8-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing