metamorpherrat | a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b

General

Target

a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe
Size

78KB
MD5

58577b49ccca0e87888646ee1b5b0257
SHA1

f00a554af5dbaeee16fb4a28312c062b1f02d487
SHA256

a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b
SHA512

96776b4d8744c8739d3f2599ef92dfffe23bbf678e0ec2d7a1dd6fe01cd890134d76361521b65018e3d8a41f8a6359ea5fdbdb54cc6af80104bab7924a393c5e
SSDEEP

1536:fPWV51pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtS61i9/Bo12I:fPWV5jJywQjDgTLopLwdCFJzdi9/s

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe

Deletes itself 1 IoCs

pid	Process
3468	tmpBC6A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3468	tmpBC6A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBC6A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe
Token: SeDebugPrivilege	3468	tmpBC6A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1680	2464	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe	84
PID 2464 wrote to memory of 1680	2464	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe	84
PID 2464 wrote to memory of 1680	2464	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe	84
PID 1680 wrote to memory of 3764	1680	vbc.exe	87
PID 1680 wrote to memory of 3764	1680	vbc.exe	87
PID 1680 wrote to memory of 3764	1680	vbc.exe	87
PID 2464 wrote to memory of 3468	2464	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe	89
PID 2464 wrote to memory of 3468	2464	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe	89
PID 2464 wrote to memory of 3468	2464	a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe	89

C:\Users\Admin\AppData\Local\Temp\a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe
"C:\Users\Admin\AppData\Local\Temp\a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fsvoaazz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDB2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD2299CD72D24756BA3C1065DCA3843E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
- C:\Users\Admin\AppData\Local\Temp\tmpBC6A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBC6A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a54f4d33896a773e0bd42391d59b675d8603e00364ec2707b12721edf6ddce7b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBDB2.tmp

Filesize
1KB

MD5
a3b6cba4ea44fd28ab44d2a89c19a0f2

SHA1
52a8f7b0c8d2d7747bbb4ea7a5f4e24520c169cb

SHA256
8a900fbb4996f7311b6a38af6defea069a7420a50f28cb53a175cb037eb9c8bd

SHA512
f8e6e2df50eba474b3e01e2e06df591f28b95a343e399a0d834211b6b8376c5ec419183977846133750f5da81dde7fbbb9ab02a225ab6df3fa96ffd0d8599885

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsvoaazz.0.vb

Filesize
14KB

MD5
8c689469dc60e506e04466284936cfd1

SHA1
38074343bf19dec8794af537d451e87637929a07

SHA256
80ebadde1f0353c9bcee519ba46d51d366703ade0567f2fd337a53a40e9f7508

SHA512
590369f762a620086abd14e93819777a41aa9cbd1f6ea8c378e39e6022915735a2ce3e1ff07492e5214494e58ffbe3ef6abee668bb9dd3b6c873cf1d1df7bc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsvoaazz.cmdline

Filesize
266B

MD5
0793e5dc0540d816f8f45e0ae331717d

SHA1
982c1d9e21f158ab11712ae7ac6da943cdd988b9

SHA256
d0522524084390189753106add0e672d871187981ae9beea388f060f43e3a7cf

SHA512
91ed4ecbc6fed7beee694848db08d2dba4ef6093cd2670f39ff058628f04a161a517b51d742df9ced5129c4642a5d7e46391e9d41e6eab65b0be3c272c7902dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC6A.tmp.exe

Filesize
78KB

MD5
50c936899d7a03c36abbcbbdbc6ed46d

SHA1
07ee4b7101bb8f4db0915a3836aaada20c13593e

SHA256
172da56f209b83e4dc92c53a0b43c4df3c234f4bf06eedb0ce03167e9e5c45e3

SHA512
45006f29233dcc448631743c47b5b6bc2f4fdabf1381a2c8bf3d396b52462209565c4b20a23a06633e96889d27d36797d9f45354d3bed0c000981cd58079fc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAD2299CD72D24756BA3C1065DCA3843E.TMP

Filesize
660B

MD5
a2e4f1c5859ba78076dd5bdfef9fb7e4

SHA1
e301719e49dba531a1b7dad9713cfead8d360d2b

SHA256
695c11ea8081b361f82a96f0412a915a688cfa98b3961006fde6e8496c96ac2d

SHA512
36bfcd0c3523618800d66334729808afab66ffe9566e45e9fe4895703e19b889d1ac3d52dbd5def9885a1a3d417d7f9f8ecd48ece25116b9c62f327c72e52d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1680-9-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1680-18-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2464-0-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download
memory/2464-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2464-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2464-22-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-24-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-23-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-25-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-26-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-27-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-28-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-29-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3468-30-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing