metamorpherrat | fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952ca

General

Target

fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
Size

78KB
MD5

b2292e50056ea3376b677d79dd5bb4c0
SHA1

c1cb05f9606760d151193c87ef59038ca3c689a9
SHA256

fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952ca
SHA512

21ff0983879f3ffbc9f3a70e236f633acc65108079ae8ee6370b42c2eeb9f45438b9c587047d18aa6f46545cbba68acebf6ab572475821ee28aa7ac0d2e97671
SSDEEP

1536:jVSV5jSYpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6R9/1f16F:ZSV5jSWJywQjDgTLopLwdCFJzJ9/6

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe

Executes dropped EXE 1 IoCs

pid	Process
3228	tmp6F44.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6F44.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
Token: SeDebugPrivilege	3228	tmp6F44.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4104	2796	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	84
PID 2796 wrote to memory of 4104	2796	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	84
PID 2796 wrote to memory of 4104	2796	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	84
PID 4104 wrote to memory of 4760	4104	vbc.exe	87
PID 4104 wrote to memory of 4760	4104	vbc.exe	87
PID 4104 wrote to memory of 4760	4104	vbc.exe	87
PID 2796 wrote to memory of 3228	2796	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	89
PID 2796 wrote to memory of 3228	2796	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	89
PID 2796 wrote to memory of 3228	2796	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	89

C:\Users\Admin\AppData\Local\Temp\fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
"C:\Users\Admin\AppData\Local\Temp\fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e4z1wgmr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60D5D5E484BA4C73A28122279F945D4D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4760
- C:\Users\Admin\AppData\Local\Temp\tmp6F44.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6F44.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES70AC.tmp

Filesize
1KB

MD5
e9f19449dbf2d05f4c8782e9c348272a

SHA1
25b01e1aa381146c5618c8e91e1bad8d818577bf

SHA256
7a7efba3051cb40f91ce28feaa4b3e1c352671a05485cbfa95b525acd2d75e4c

SHA512
d485cf7d4414e99705437ab88c58ee7a0d56b73bcddff2da8ce73329e17aa73a69617c4bde076f4226a4c9db250e3faa401f52d8f3f1e3a64e6f038b32f6acbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4z1wgmr.0.vb

Filesize
14KB

MD5
fd2e4edf42410328e168a00b070af74c

SHA1
80e3dee440f5822d4c6b268ee4546c35c412d3a5

SHA256
ad16462a5a84f664851c36693a74a81fcb6b803181d10628aa14e2021e378b9f

SHA512
ce051a2dbe5d2206b5401510515567835780f3a144a901f28cfe5acfd853f5763250113467ff477282177923451f542102f1e8c9abd6b6b79f22af407ef5a9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4z1wgmr.cmdline

Filesize
266B

MD5
5783c3c9e9de7526fdd50f8fa446f69d

SHA1
e138176c8f53001180edda96fbd3293a68904f5f

SHA256
097ea21f3a52be318c794b7a55d3b48c1cf934cb81be4eea1a1ce7833da2a380

SHA512
22797391cd4e5c7b0109f28722355065094ff2d31198212ce7187046f8b66e0fc63384de944cc5e251669c86f2bae30c2aef071450c66f74fe386f8464db1f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F44.tmp.exe

Filesize
78KB

MD5
22bdc39d199b80bd1eadaa9951c04d45

SHA1
00e1da5e61cb38a7632b8c1cd9c690e2e2dcf249

SHA256
564c204ed5ffa013fcd5499c4a5174a380142867ec2524251af185ca9dfb78ef

SHA512
10ddde024b781ade894ec0a14ac1af87dbb688bccd14cda675ce752420fb23b90cba0ee7dced857228a89efe357c38194b97574303bd1bc86915759455abcb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60D5D5E484BA4C73A28122279F945D4D.TMP

Filesize
660B

MD5
748890788a0af6581c2c9e5ee582f5e1

SHA1
539ce39608d335633c2ee7cde52282443ca4dca3

SHA256
dc337136e752bd3e6e6c001099294e2e418eee5f59520eda96f158d712bc9697

SHA512
22e70dfe180e4496a64c9c8f35d6e4f9d13df0e2c773fee058a7465a15e14e755118a644020fbe4ad8f9cc04429159d7f6787f62b1501eb5789b670c2df328a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2796-0-0x0000000074F32000-0x0000000074F33000-memory.dmp

Filesize
4KB

Download
memory/2796-23-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2796-2-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2796-1-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-22-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-24-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-25-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-26-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-27-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/4104-9-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/4104-18-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing