metamorpherrat | f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d

General

Target

f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
Size

78KB
MD5

54f42b17ddd2252d4d53db327a6c5fbd
SHA1

db7b765012e7f85a6dc3db7aa12a314cf07c0858
SHA256

f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d
SHA512

0b6fde744f424c0e4dcc7c971f9eb4c6c025847fac72b89cd1590e620bc04d4c48f05681bdda89b93b88e522cd29ff219ec631bd15ad42bc50161287f24f7c3f
SSDEEP

1536:2uHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLKk9/A18O:2uH/3DJywQjDgTLopLwdCFJzLKk9/6

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe

Executes dropped EXE 1 IoCs

pid	Process
4616	tmp88A8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp88A8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
Token: SeDebugPrivilege	4616	tmp88A8.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4876	3080	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	84
PID 3080 wrote to memory of 4876	3080	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	84
PID 3080 wrote to memory of 4876	3080	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	84
PID 4876 wrote to memory of 1060	4876	vbc.exe	86
PID 4876 wrote to memory of 1060	4876	vbc.exe	86
PID 4876 wrote to memory of 1060	4876	vbc.exe	86
PID 3080 wrote to memory of 4616	3080	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	89
PID 3080 wrote to memory of 4616	3080	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	89
PID 3080 wrote to memory of 4616	3080	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	89

C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
"C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1dvw8uyb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8964.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD57FFB4BA99D464383CBAAB489FE45B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060
- C:\Users\Admin\AppData\Local\Temp\tmp88A8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp88A8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1dvw8uyb.0.vb

Filesize
15KB

MD5
fd15d57db78fe76083fbe59e4703abc7

SHA1
1b413674efe30ba280f8aaa9bcc1a41fe2412954

SHA256
996303a35baf85dc57382fcf1c58562e1d15291159ccdcf9ac8250566a019d49

SHA512
422fe1a70794acb906746247ab214b772a0b0d39874212b11d51897c6020af9ff4f5640d908f25f3411cde46b4f74d3504bb9527c2db96523aac49bc12bbb2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dvw8uyb.cmdline

Filesize
266B

MD5
baa3ec4e6007aee10db62c40769a1616

SHA1
ce6141e3534354d0db59cd19207674658012cb40

SHA256
2a84ff3dd3d831ce4264303b35645038f62c2f64a722cffb8056837e053332aa

SHA512
14a67c5c6d917b38a21222ad8ceda406cba92aa90b07be9a3f2f9861ddd665bb4c5f57e2f2b5856390923895ff0db17691b6fe3b755acbcf9df1baf2212537e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8964.tmp

Filesize
1KB

MD5
15e5e3242cba1c22e13eb07d69b12b0d

SHA1
b6faef0cfcb63273ef9eafd348020a02e1b878c5

SHA256
e26c49f2c7a9216931dc31e764228905bff4c5bf303f4f03330222cc649986aa

SHA512
07562a6c1ec6f8779396c629c952cb611fa52272472afaca96b5743589316219480bfcf6898cfb6a27735cff22336bef3086fe2d64492ad97ff14cf42d6f1c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp88A8.tmp.exe

Filesize
78KB

MD5
56effe78a98c6410c83abe5405162cc7

SHA1
7cac94087973c7c741817bd8c15a7852d6d60a74

SHA256
c49ccd49541c8c00f727a66f69cb1333fbfdb80b59818091cb05be94016aba81

SHA512
c3268dc465c9bdcff756f6152712b808ff5c5c382a22d26aa8894b230560bca71e572a2437a9791f07df5035ecc276efa1e325bc5dca96fc0ffe5f4e2af426b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD57FFB4BA99D464383CBAAB489FE45B.TMP

Filesize
660B

MD5
9752bc83665d4a860bdeaa8716f7114b

SHA1
fb90e571953fc9e6dd61e2dfa25411f8b9a81fcc

SHA256
4a5777e62207f3c5fd7eebe44bb33ecb1a8a85503298d74f241536c277aa032c

SHA512
ae6b1265e08a92106bf4b3db0b148e413159b35c494073479ae8eb17223bd726957ad29f5982759847bc00c2d55b66bb220cced6ed7716412e30b2af9b39f264

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/3080-1-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/3080-2-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/3080-0-0x0000000075372000-0x0000000075373000-memory.dmp

Filesize
4KB

Download
memory/3080-23-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4616-28-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4616-27-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4616-22-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4616-24-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4616-25-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4616-26-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4876-9-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download
memory/4876-18-0x0000000075370000-0x0000000075921000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing