metamorpherrat | a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673

General

Target

a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
Size

78KB
MD5

b384eafb7f17622515730a4e3caf1ed0
SHA1

a4924fbff76142e52e4942d7fc902d7bcf3fb404
SHA256

a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673
SHA512

fb6a56b2960c9c17c0f03f619270ac57b6f32bce688f346fcf2557ce00b761e98f8560ac54554dcf30df491491a454ceb2c1f7268743fbd949b3d8f5eec88393
SSDEEP

1536:/CHF3JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQte49/f1gB:/CHF5IhJywQj2TLo4UJuXHhe49/W

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Deletes itself 1 IoCs

pid	Process
5028	tmp7B3B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	tmp7B3B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B3B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
Token: SeDebugPrivilege	5028	tmp7B3B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1564	1104	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	84
PID 1104 wrote to memory of 1564	1104	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	84
PID 1104 wrote to memory of 1564	1104	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	84
PID 1564 wrote to memory of 1152	1564	vbc.exe	88
PID 1564 wrote to memory of 1152	1564	vbc.exe	88
PID 1564 wrote to memory of 1152	1564	vbc.exe	88
PID 1104 wrote to memory of 5028	1104	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	90
PID 1104 wrote to memory of 5028	1104	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	90
PID 1104 wrote to memory of 5028	1104	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	90

C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jbyzy_r7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc758138F2E1324547BDC2E7C2A7A7622.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7CF0.tmp

Filesize
1KB

MD5
742b7c53d6c6e23b4d877f9a0fb7847a

SHA1
ad9841f82fe77abf5bb48108ed6049fcab19839b

SHA256
93afeb76fe1395cf7c2f99263abc3e1e771c17165577e74fa26e3ecc6ee0d1f8

SHA512
690fcdc6ff0b7b3a2c69b787b775aa162d90e7b0fa1d8ac9b8e67ee3f304287a5b754e441aad8e6fbeb6d1e6980d734d46b76a5868d89f409f4ea6653fab5ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbyzy_r7.0.vb

Filesize
15KB

MD5
f0ddbcd87f44cb4a02b207019a381b37

SHA1
a4c706ecbe7c97453c2f9a09faf4cfaee1c35c3a

SHA256
2b3aebcc36d37c5fff6f53d036a8c4a62b6878292afcca531bd46d961e858096

SHA512
5cd4ee1cdbc4bcac616c47b5d423fda3251cb91b9619d45031ff3be0f20af646d0099b1fb1a6eda6d72667d4055250643c05baeb932796ec81d42a14229ec813

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbyzy_r7.cmdline

Filesize
266B

MD5
5d6473a9033e16112b77b2ef33258d31

SHA1
6cead00312251ef5daea87205e46dda5471f52f4

SHA256
e5de4656bab4af785195a49e9ae0319c830b64290c0f4b5d04c96af7afa1b18e

SHA512
2dcda416ea716583bccaf4711f86930f3a6934ab08a31f72f4d7c5e379abf74554eb6499e5b1f46aff99b5b128601e019877e06b10cc431d5cb8daf5991e74af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe

Filesize
78KB

MD5
9c8036ee5b66d2efcc43f65451589458

SHA1
e27339630b9822b0ecec7132b4a1a6402226da2e

SHA256
02e16f9572e2c1dd2c3b51565becfc0d475604c06ef576c256b1c5eb63469ec9

SHA512
720ab168dd7a8ba7e6433a4d5b6789852b53bab86bedd7b89ee31f8bf2a73c71a118e8cf952de5a1e0c4771acedff0b60f1e591b6a173cd2cde26c11ba419e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc758138F2E1324547BDC2E7C2A7A7622.TMP

Filesize
660B

MD5
47778c5a7ebcf0b22f13b1f20b2a5b22

SHA1
45e605454d88ac1f508593f8b2a9f2cbf0d955f8

SHA256
c331eb8a5bcb9dc92c50f6fd433eee6508daf69b91529000b46e4f59408e851f

SHA512
51737ccacf53dfbd9be9d00744da0521e81e690c0f5cda0846092539a66ed8d62350559ed212d550335edadbed6556d70ce07fdc39f89ce33ab7205c4f190643

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/1104-2-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1104-22-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1104-0-0x0000000075162000-0x0000000075163000-memory.dmp

Filesize
4KB

Download
memory/1104-1-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1564-9-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1564-18-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5028-23-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5028-24-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5028-25-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5028-26-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5028-27-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/5028-28-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing