metamorpherrat | 2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364c

General

Target

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
Size

78KB
MD5

00152c998c9fcf9b697738c9564d2730
SHA1

65ed9cd87387a3eb6ab1da9ab7df5e824b6dd0b0
SHA256

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364c
SHA512

8e09ca9c1578e49568407da87ff70fb64dd5adf454bf0573ecc8ef6a7c8442969730ce2f8df0bf27ccef49ccb3192271d4f5eecc9d216bfddd8833323d30541d
SSDEEP

1536:pCHFo6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtD9/Te1nI:pCHFoOIhJywQj2TLo4UJuXHhD9/Tz

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe

Executes dropped EXE 1 IoCs

Processes:

tmp8F8E.tmp.exe

pid process

60 tmp8F8E.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
60	tmp8F8E.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exetmp8F8E.tmp.exe2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8F8E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exetmp8F8E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	5072	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
Token: SeDebugPrivilege	60	tmp8F8E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exevbc.exe

description	pid	process	target process
PID 5072 wrote to memory of 3924	5072	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	vbc.exe
PID 5072 wrote to memory of 3924	5072	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	vbc.exe
PID 5072 wrote to memory of 3924	5072	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	vbc.exe
PID 3924 wrote to memory of 1916	3924	vbc.exe	cvtres.exe
PID 3924 wrote to memory of 1916	3924	vbc.exe	cvtres.exe
PID 3924 wrote to memory of 1916	3924	vbc.exe	cvtres.exe
PID 5072 wrote to memory of 60	5072	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	tmp8F8E.tmp.exe
PID 5072 wrote to memory of 60	5072	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	tmp8F8E.tmp.exe
PID 5072 wrote to memory of 60	5072	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	tmp8F8E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
"C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cueoffbg.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9172.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD63FD72EF3C5498AAEAB6788D61A198.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:1916

C:\Users\Admin\AppData\Local\Temp\tmp8F8E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8F8E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9172.tmp

Filesize
1KB

MD5
b2c3110beaec5200c329da43e25a4cd0

SHA1
e6e99b577273b90348466b44cb1eec11ea05bb81

SHA256
b303b70db8bd5f9f52dd983082910136f366f538ff5efd48c3ccdeceb8c2372c

SHA512
c9fe1c1feea6749f9c5237d5c82974f374ba40ff39468d14eebc0ff6f9670dd74aa4abc194be8c407c24ead32ba4821c8491b799ca49e9667695117dc1db65f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cueoffbg.0.vb

Filesize
15KB

MD5
5b4ccac765f6b2d5e1eb4e32892bb124

SHA1
1cd2b85868140eb890d714a264218f7725f27fdc

SHA256
18e901f51a6c995c6237e598529eed5ec20f4db5e27ffe810548fcde593bed4a

SHA512
9586376004752a965140b2629dc13857edbee0716590febdc707c09a3623e2773bb71751e9cef0ddee9fbacd3f954738e904d9c77a4723905495a75bc236fd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cueoffbg.cmdline

Filesize
266B

MD5
c6122733fc1d5c3d3d94ce81f18d7d94

SHA1
0d1d26a427b6eab62b9cae18a779fcd11da3e8f3

SHA256
7d6ad7185ecd4e9384e82b01d62eff1f99a1b6de102c5b2e4439bd7af2f3ad4f

SHA512
27543fb3f535465b64227fa6ecf27326e33ef3cde5a78b0c93bff30b2c3a8d6ea964264ea289992a778cefeb1d584742574b864314bf060cead58a0528c4048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F8E.tmp.exe

Filesize
78KB

MD5
7cced7293e483fcee8320fb9631b03c8

SHA1
9087fbe0480fcb48813b9c35b4dafe15ffb35b98

SHA256
aec3f5d7fb676eea28d5f1127d713dfaa66f3e46c73ae01e722144f56ef8568f

SHA512
bb5d3b011f8771b4dc7649fc61841af0c272cca757541b2d2803393f4b84dc4ee9dd8f31a30031fd15371e50ec3ecd1742e1126a2067ad7bd83f5091f370a859

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD63FD72EF3C5498AAEAB6788D61A198.TMP

Filesize
660B

MD5
bd874e3fe8b41718617c818c60c152db

SHA1
bbf22fb6992805ec44e45f71bc381444e545b14a

SHA256
2255a1934fa793c5f0f1e867f15da27b997e40f7f0ff6921dd7df61b39cb02da

SHA512
3ca8868ddb3cadcc7622c5fc7d3908c099ad1976e81cef593605f113a1ceb1dedf321efd828ddc251a6adcffe48ea084337b5e598693b758892c473ada09d3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/60-23-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/60-27-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/60-26-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/60-25-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/60-24-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3924-8-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3924-18-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/5072-22-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/5072-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/5072-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/5072-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads