metamorpherrat | 49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1

General

Target

49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe
Size

78KB
MD5

4a0806c567c08f47303027d4f3d99bdd
SHA1

5dd11054211aa4eb0ad602055359c638cfa3f72a
SHA256

49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1
SHA512

a049b7e225d6a933d5937dbc6835caa04f73d8694edeaaab7dfa4463f93553ebdf2db896ed0481aeeb2c55fb11010503dac699277582690b49f0955a69de5e72
SSDEEP

1536:8RCHF3uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLV9/k+/C14Y:8RCHFP3DJywQjDgTLopLwdCFJzLV9/k1

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe

Deletes itself 1 IoCs

pid	Process
2316	tmp6A14.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	tmp6A14.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6A14.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe
Token: SeDebugPrivilege	2316	tmp6A14.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 4492	1144	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe	84
PID 1144 wrote to memory of 4492	1144	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe	84
PID 1144 wrote to memory of 4492	1144	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe	84
PID 4492 wrote to memory of 4048	4492	vbc.exe	87
PID 4492 wrote to memory of 4048	4492	vbc.exe	87
PID 4492 wrote to memory of 4048	4492	vbc.exe	87
PID 1144 wrote to memory of 2316	1144	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe	90
PID 1144 wrote to memory of 2316	1144	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe	90
PID 1144 wrote to memory of 2316	1144	49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe	90

C:\Users\Admin\AppData\Local\Temp\49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe
"C:\Users\Admin\AppData\Local\Temp\49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aejfiddy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc662FC9797D74945955D908EAC7E93CD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4048
- C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49ebbfc90e8e286698e08d33eced1a6dc27b91dc16061843f581b1e8fd446cf1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6B1E.tmp

Filesize
1KB

MD5
c61cf7a006cb8a794599fb4e527288dc

SHA1
8c5d75bfabafc400d6c95e6a78d7b6a402033d1c

SHA256
83fe4902887f9f1f9db6267930c4619710b7dccf369078525e0aa017d7934d2f

SHA512
d98de8b26ed31028238ec5d3d05a92ce128828b0c567a2f66d8f0ec855f68ce72c666510ed8a27b8d0c2f5c79905eea72f4298735ce0187f161b112a201da509

Download Submit
C:\Users\Admin\AppData\Local\Temp\aejfiddy.0.vb

Filesize
15KB

MD5
00e6c31205654f54aaf8f3b58f5cab2b

SHA1
37bd355671acd5f87a2ac8c24f109a130a2583df

SHA256
a8b77448635f1160db921b3ff2fc5ce6c78b1decff679c03a009c358c581def8

SHA512
f02ce56b58a970f08e6e87e7c10724e6ad7bffed2316b8734cf1df9f80240f1bde0397fcda06e35e64f633ef522263895f70ba5c4ccf75a7a66d1bc126c0763a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aejfiddy.cmdline

Filesize
266B

MD5
ebcdfe999b6bb93b74c3ee4634a2718b

SHA1
6b03718f23520fc38432a13a92f3f1a77d12c570

SHA256
f8f6359e7aa6fb5c856f1131d7388ce7079bff13c75979d6b3cf1ae09336f0c6

SHA512
cceb9cdcff4622438ebca4cab5f77f35754e6985db0031dda39e5d2de98cd3bb81f25d3de5a923c4132b030ab74b8ee11b4f410d31b53f95dcdf5b66ea0985be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe

Filesize
78KB

MD5
c2be2318019261605333ef3ac53b5fa4

SHA1
d6cf9fb4727b1d51f33bccd564ef2dcac0607f7b

SHA256
35928c43d5eeb2f4c5e0119b404d59d9959f8ea59a03a080aea9f32dc6a67169

SHA512
0b021b6c6694c167eeb6d2b3aab540177952eadd24dbbfb052e721798ec343b65c94b35b2282e2ec1b7695ca0f2f2af2d69398e584f61b662158f5615b362bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc662FC9797D74945955D908EAC7E93CD.TMP

Filesize
660B

MD5
6a045b5f4029ca0a0973f325e2bbf88d

SHA1
827547ff4d6b2280d06d909309a0006f6e4752ff

SHA256
2d133f003eaac9da81fcd992e529a44f8684a423c2f24c799749940d51a22047

SHA512
d66722ccf9bac1c4d0fa8e2f13bd382c3db7b808fa4b200bc80c426357f9c4377999718bfd4ef7b4bf00fb4750d04add8d4008d1b73074cb9300431a6720c663

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1144-1-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/1144-2-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/1144-0-0x00000000745D2000-0x00000000745D3000-memory.dmp

Filesize
4KB

Download
memory/1144-22-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2316-26-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2316-23-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2316-24-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2316-25-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2316-27-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2316-28-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2316-29-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2316-30-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/4492-18-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/4492-9-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing