metamorpherrat | f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d

General

Target

f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
Size

78KB
MD5

54f42b17ddd2252d4d53db327a6c5fbd
SHA1

db7b765012e7f85a6dc3db7aa12a314cf07c0858
SHA256

f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d
SHA512

0b6fde744f424c0e4dcc7c971f9eb4c6c025847fac72b89cd1590e620bc04d4c48f05681bdda89b93b88e522cd29ff219ec631bd15ad42bc50161287f24f7c3f
SSDEEP

1536:2uHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLKk9/A18O:2uH/3DJywQjDgTLopLwdCFJzLKk9/6

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe

Deletes itself 1 IoCs

pid	Process
3644	tmpA1FD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3644	tmpA1FD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA1FD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
Token: SeDebugPrivilege	3644	tmpA1FD.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1232	2848	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	84
PID 2848 wrote to memory of 1232	2848	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	84
PID 2848 wrote to memory of 1232	2848	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	84
PID 1232 wrote to memory of 3504	1232	vbc.exe	86
PID 1232 wrote to memory of 3504	1232	vbc.exe	86
PID 1232 wrote to memory of 3504	1232	vbc.exe	86
PID 2848 wrote to memory of 3644	2848	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	89
PID 2848 wrote to memory of 3644	2848	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	89
PID 2848 wrote to memory of 3644	2848	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	89

C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
"C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rudmp3in.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA42F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5200397E9F4C40F18A736FCF44557490.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504
- C:\Users\Admin\AppData\Local\Temp\tmpA1FD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA1FD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA42F.tmp

Filesize
1KB

MD5
fc5c9a21cfbad8bf535bcf2d97996419

SHA1
193e7d8edc73425dd3b4652d3898f927930a5a93

SHA256
e655046710e203617ee791ca4cbadc36a414e582ba69611c1b1f70cd0a05a4b0

SHA512
d7fb3cbb4d28a6bed1f63e3dd0909b20caaf44602b35c647676b167e747bc5aa5fa052638460f42668d61ad0414eb9bfac6c9413a1ad39ad4b9c262219b8bcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudmp3in.0.vb

Filesize
15KB

MD5
d1eb375349803db500cfb106407dd54e

SHA1
e6db58f651afd6c17228ef9ee5a3aef66d939042

SHA256
b7d77bbc317847bc5e7d457869a1d72f6659f2ffbefdf2d1c5c4609dc6e87cf7

SHA512
997bb77d07d1ce035b6049da5191209bcc30fe6f4046b7593b469f6f347e91438a6253feb9c2e2edc96e2d0c9e384d9a08be1ff612fa1d2c79d9636bb8f7cdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudmp3in.cmdline

Filesize
266B

MD5
099ec027dfc603e79ff9bb23747fa064

SHA1
c52083ad62bb063df09894b6a06f9cb6d8ef3a3e

SHA256
02fbe4f1bf03bbba38b379cb4abbde823694ac393bd1d207af5c76553624080a

SHA512
cc07a19d2e64549f682224a6e3f3dbb54c9f53f8534fa9e1d41f86105ea97f2a102a2103325b0dd0f994de109e699a80f5f7f6a715335147dc5a07784a64a4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA1FD.tmp.exe

Filesize
78KB

MD5
7a9139860755d578b99baa36989680a5

SHA1
a38e65370d1c32368df6fe6d377295980caf5907

SHA256
5a356f2f13ead04287eff7f659918bba108720a1a6153ca8e4c21c7f8ed501ae

SHA512
0814d8a62cd465bc73ed103aafe86d6de19462c8b844ac37152808c85799767ec48a9f58bd52af28618e0f046a172bfba6a53531043d6172bc304b8946ed5c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5200397E9F4C40F18A736FCF44557490.TMP

Filesize
660B

MD5
5f60dd9eaa077ff92578300a360dc659

SHA1
8ac8a0a84f16285d8797e9df7b8b09d7dfb1e8ba

SHA256
21ff44ac4c14982706165f6604e19936988e613f1441a5ee35c8462c32af3dbf

SHA512
67eb1c5f7d1f5d9702d684942b36750564bdc80dcbedf8dcdda60fdc5e93917f28b7281825576ab0af3f7cedb97a70f4ecf43a6c4c1055f224b226b9063d9cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1232-9-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1232-18-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2848-0-0x0000000074812000-0x0000000074813000-memory.dmp

Filesize
4KB

Download
memory/2848-22-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2848-2-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2848-1-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-23-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-24-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-25-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-26-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-27-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-28-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing