metamorpherrat | 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061

General

Target

190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
Size

78KB
MD5

daa403e3352b2457a3c6446877612209
SHA1

b69c26b5d22257793cfcf4e06a6ad9dd097da72a
SHA256

190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061
SHA512

a4c5fcc13aec1001eefdf51b47b9dd7a7b1d358eba5d27a774222f5bdc34c1571aa901bb7af95fb04b1d7352c6d18bc618109d4b9bc17d28a3d9c46160907a93
SSDEEP

1536:wc58YpJywt04wbje37TazckwzW4UfSqRovPtoY0BQt96A9/n1mI:wc58WJywQj2TLo4UJuXHhn9/N

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe

Deletes itself 1 IoCs

pid	Process
3276	tmp12A8.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3276	tmp12A8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp12A8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
Token: SeDebugPrivilege	3276	tmp12A8.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 5088	404	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	84
PID 404 wrote to memory of 5088	404	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	84
PID 404 wrote to memory of 5088	404	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	84
PID 5088 wrote to memory of 2944	5088	vbc.exe	87
PID 5088 wrote to memory of 2944	5088	vbc.exe	87
PID 5088 wrote to memory of 2944	5088	vbc.exe	87
PID 404 wrote to memory of 3276	404	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	89
PID 404 wrote to memory of 3276	404	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	89
PID 404 wrote to memory of 3276	404	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	89

C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
"C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b5rex4cz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAEB6D739381141A5B644ABD6F3844A87.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\tmp12A8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp12A8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES13F0.tmp

Filesize
1KB

MD5
128afa8d17b10e7c4ecbc98f4f25de34

SHA1
bdc1750de9654dd7902ae0069261ff1f0f24e1ae

SHA256
8e9c27a65da0c909352ca47c0ce540af22e7ced9f27f44ff195f95595b00c9f1

SHA512
3f09ef438c42f2e6d88b9b0500c0289f2acba455b41363bed3c36a7e3ea37057ef9a8e5ee4b192a663b36d7f050111c859da8a4e5e14cfa6702ed2fabdc47c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5rex4cz.0.vb

Filesize
14KB

MD5
e08acc8733d641b7876d4cc1b9a013ba

SHA1
b13043fc592bfd140792ff5ef815d9b411459376

SHA256
c290a53bdb2d9e78a89e5299ad6239e02d15c60ecde26824c80a781cc4218b1e

SHA512
41ec4350de07b71f4362d217817c241a089feeb2ff1fed2750c466e557af8966b23d4de6ff62080ef6a08870bebb5b5c7613fcfdf9480cf07de9d2111d157e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5rex4cz.cmdline

Filesize
266B

MD5
33abd8c67a236b9e423332d546db1643

SHA1
2aeb60becd495e6004200a8b89188357b488de31

SHA256
2179a6e871af9a0cabf3e4b3dbc6d3efdf6ec88e8e6c1ef1ab39312691f194f6

SHA512
e0a1f589568eb366c473e401dd80b2552a7d2161bf015cf42ae8b477753a7fc90042166c4933cc088a9795ca7324e84a7131464b64b76d44d92c379eec342ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12A8.tmp.exe

Filesize
78KB

MD5
2c0cb064f24b9f315017b2656e923af6

SHA1
ef449a81aae1ca0f9bd1cfb047f5afd6a9c317fa

SHA256
6a18aadb101e47ab61c9f5c26f48369b4453dad0fcfc8a04251749059d7cd2fe

SHA512
47f9f1e9d4d52b461dca438ee42272d98aead41fdf76a2569b017cf146ece9ff92d39b17cafe98b95a9cadaaf056d2512f0646b0374b8db816e7f2a34748244a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAEB6D739381141A5B644ABD6F3844A87.TMP

Filesize
660B

MD5
9a570b23f5399875979c705b2b0d3d93

SHA1
85317305bdb549226161fe0fb90b492a764786e0

SHA256
9e21ae8e51319885dcf6458eef02eb293635ff2b724fa92d88db3e6331a15ff2

SHA512
005536d9082b9ba2af7341f1de75e3ecc768bdbd5dffc8f9b40c30da3b8e3ad93750a33ab3bb3aab7e5763469fa2d7c0e2013319770d54474aafd4ed41acebcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/404-1-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/404-2-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/404-0-0x0000000075532000-0x0000000075533000-memory.dmp

Filesize
4KB

Download
memory/404-22-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-23-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-24-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-25-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-26-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-27-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/5088-18-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download
memory/5088-8-0x0000000075530000-0x0000000075AE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing