metamorpherrat | be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c

General

Target

be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
Size

78KB
MD5

1c7327ce77601ba4265336d2e9ea82cd
SHA1

ab1ad762473ad932f162eb9db4aa5b65cd3f9f72
SHA256

be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c
SHA512

b7a1675b845fb50c98789b7343b024241d97227e3a026fb73260964231a95f4b4af901840c6a41e4595922db12d160e8d2efe270ef36b31dac752d36dcc30d01
SSDEEP

1536:RYV5jSepJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6f9/UZa1LF:GV5jSwJywQjDgTLopLwdCFJzg9/Oy

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe

Executes dropped EXE 1 IoCs

pid	Process
756	tmpBA86.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA86.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
Token: SeDebugPrivilege	756	tmpBA86.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2552	3240	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	84
PID 3240 wrote to memory of 2552	3240	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	84
PID 3240 wrote to memory of 2552	3240	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	84
PID 2552 wrote to memory of 2872	2552	vbc.exe	87
PID 2552 wrote to memory of 2872	2552	vbc.exe	87
PID 2552 wrote to memory of 2872	2552	vbc.exe	87
PID 3240 wrote to memory of 756	3240	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	90
PID 3240 wrote to memory of 756	3240	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	90
PID 3240 wrote to memory of 756	3240	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	90

C:\Users\Admin\AppData\Local\Temp\be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
"C:\Users\Admin\AppData\Local\Temp\be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fk9bazw2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA58D1A94F9E046EB92AABABB025BC9F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- C:\Users\Admin\AppData\Local\Temp\tmpBA86.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBA86.tmp.exe" C:\Users\Admin\AppData\Local\Temp\be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBBFD.tmp

Filesize
1KB

MD5
e8550d7a95f77a42260e6913566a9784

SHA1
902899127bc70ed8320b72327a33307daaa69af9

SHA256
e03ed1aab2068cb8ff89fadc7e0f0729104ab5f0673d83da0d5259fb0f2debae

SHA512
755195ffea433f83007bd64b9481fa9d3ac77991f64c80e0f5b2f9c5a5950508b6ea0e2f134738253db085d8ec7ebb92f19a906839c8dbc280b19d860e4c3bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fk9bazw2.0.vb

Filesize
14KB

MD5
af9c599c7e820af5f459f0536d95d4c9

SHA1
3a8382441cff76e17516b6c948b0ed04b130e8c4

SHA256
5155dbb0f8d8e7f174707466a7b5484ff77cbeb6d4d6e0b58224ae3734d7b5b1

SHA512
03dbbe57623a2f3642ad4f88c0c0e34f1992c858f1cb3926a290e386ec5ae99b912a7793c496777de787a4326104cca643579cda52ffc914c92c1d1f4d504739

Download Submit
C:\Users\Admin\AppData\Local\Temp\fk9bazw2.cmdline

Filesize
266B

MD5
fca9f7057eda8a270bab87cfa24beeac

SHA1
25b562ddacf83da05f6677d5c1c067053d3052e0

SHA256
46d1253e36d383502aab8279d70e0ced81064284999afbff6eaa1d5df55e635f

SHA512
7077288b29f376db406a24d891f928e3ea5fd567d596905dcc1d393fe9db8fea8c1890758f9d9e3ea9b6058287eb2dc378ba8cc3634696778af1da678e6bf623

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA86.tmp.exe

Filesize
78KB

MD5
4a4330b679b53bff71ffcf4684b81a91

SHA1
052ce93171ddf5c98ce77808964df56cdfde8fdc

SHA256
1779c6071c57d7764a4db5fd0aaea5d56f623076ff2942f132770f93682546eb

SHA512
2ba5ac418055bc8baa309d026c4d683867ddf6d6dcc4f6bf8b1a48cc0750db726d8bb98c6aa9dce346663f1cb9fb26f9ad5be24ed9c524a00507acb75b1b1c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA58D1A94F9E046EB92AABABB025BC9F.TMP

Filesize
660B

MD5
1a66ade824a3a255f66cabf9a195c72b

SHA1
686c2f8107a6cecb9d41ea4c56fda2559cc34ef3

SHA256
99720235978d6ec59fc1cf9fb39cc0df68b4e0a1549994cdd1d88956c0fae2a0

SHA512
5cf80712f925c581b6d403373af1a1f66f8b67ca9fe69efcf1ffb53202af9713c8cfe7000642c5bd998c14589a211690c0afe3c3239ece524173d37d91f5b655

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/756-26-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/756-27-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/756-30-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/756-29-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/756-28-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/756-25-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/756-23-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/756-24-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2552-9-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2552-18-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3240-22-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3240-0-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download
memory/3240-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3240-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing