metamorpherrat | 7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37

General

Target

7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
Size

78KB
MD5

8fc1cbf2ecf911fcdaa93d8dea69d2e6
SHA1

6eff15da66f4bb7741547e8985bf963add381738
SHA256

7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37
SHA512

dd138c2a0a4860477664bdb83389b0693115cc080234f0b46c977c7450d370033618c19c2fc6d290545f2a6322f57a5661651f5c48e9761cfe123b22b3731661
SSDEEP

1536:DHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtpa9/x1cS:DHFoI3DJywQjDgTLopLwdCFJzpa9//

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe

Executes dropped EXE 1 IoCs

pid	Process
4292	tmp9A4C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A4C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
Token: SeDebugPrivilege	4292	tmp9A4C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 2688	4652	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	84
PID 4652 wrote to memory of 2688	4652	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	84
PID 4652 wrote to memory of 2688	4652	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	84
PID 2688 wrote to memory of 1344	2688	vbc.exe	87
PID 2688 wrote to memory of 1344	2688	vbc.exe	87
PID 2688 wrote to memory of 1344	2688	vbc.exe	87
PID 4652 wrote to memory of 4292	4652	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	89
PID 4652 wrote to memory of 4292	4652	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	89
PID 4652 wrote to memory of 4292	4652	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	89

C:\Users\Admin\AppData\Local\Temp\7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
"C:\Users\Admin\AppData\Local\Temp\7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mtv8ienv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB68EF1E5E5434821BB159A539EFC6095.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1344
- C:\Users\Admin\AppData\Local\Temp\tmp9A4C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A4C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9BC3.tmp

Filesize
1KB

MD5
768c79bd404360075a25c6f7daa294d7

SHA1
7b2a45510efcc9e9f02126785cc472c2bd15d989

SHA256
1c3032be4e6fefdaf51f9c8820dbda2b1a0937017b2a8bf1b043958c6c04f7c7

SHA512
72b026fc6a48c442f6787b88067a5d4b94fc0a9d05d97b1f20a16bfe07891e205100197d764de623a8d7e35dba4c3ebd7e3738d9f12188abaff6d24849b19cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtv8ienv.0.vb

Filesize
15KB

MD5
8c50adb0a42f260873364f02778659f9

SHA1
bf042e434ecbfeba72db20e91ce19878de6ae038

SHA256
29892f743737f48a847c05b20c12511e4db5e856f7a1323e99cd3701cf96c102

SHA512
d436af482a29cf703c2cb31b6fb40436ca35bc87df07af7ce423c98cb1f89ff8ee34bc0c7481d9d128819ad797aa415eaf03931c976d0d9dddaff61b8496d5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtv8ienv.cmdline

Filesize
266B

MD5
447733db32e6ff149e9ebfc99383f598

SHA1
361fc537ce54e7a0cbcce804c443200582372b44

SHA256
92aa3adcc131d677aa46451c58c0984b178061a533e62034c1c55106d4882c53

SHA512
b80566155091b78aaff7d98fdaaf748e2b3e0de33752127e129d9a057515f11c3a3f599609980535a102bf55ab2cd7f1aed78cc28fefb4c02e66d30a095d3b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A4C.tmp.exe

Filesize
78KB

MD5
693976544066c7f9395435c5218d937b

SHA1
392858aa397899f3a1d4c8f95d29b918e43c32f1

SHA256
31a1473c99d25f6a4b3a5c76e2616d012612e63bba48a568da7e1373f308542d

SHA512
91cc8b1b2bfa8dfbf7ed81ae8ba650911d1c4d0c7cc0106fb6d153717e807a85af7084e6a3e1ce2533f6e3fe7ca180f93bb5ffeea217dcfa11acf06c87d6562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB68EF1E5E5434821BB159A539EFC6095.TMP

Filesize
660B

MD5
7b49684fed374a0b3af87e3c5d8bc344

SHA1
d647e54ef70c3592cec283e45db00b77da315b50

SHA256
524bafa51875a44402146ed62a7e7b6a18ae7556f7e565adbe9d18b47cf3c00d

SHA512
705a73f64ac8c36bd48c82850e371a306e7da963e4a485e2a3917ee7b456a20e9659cfcbc23ce8bb33de1ac8dc0ca3d0c9b5d1077ed1ef9d465ea6f69a9b671a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2688-18-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/2688-13-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4292-23-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4292-25-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4292-24-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4292-26-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4292-27-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4292-28-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4292-29-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4292-30-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4652-2-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4652-1-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4652-22-0x0000000074CD0000-0x0000000075281000-memory.dmp

Filesize
5.7MB

Download
memory/4652-0-0x0000000074CD2000-0x0000000074CD3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing