metamorpherrat | a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717

General

Target

a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
Size

78KB
MD5

400bf1cd79fee36cfebaf5f929edc919
SHA1

632001433f9197c1b842ecd2c6fcbbf623c4ccd2
SHA256

a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717
SHA512

555961917b0a74a58c7e7247dacff7f064d5b428a354a466abd2c79a4c31be5e10f74c7a65279cfc6195905bbffc41df4d11084325f350a7f9debabccae03005
SSDEEP

1536:SWtHFo6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtS9/Qh1AS:SWtHFoOIhJywQj2TLo4UJuXHhS9/o

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	tmpBF1A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBF1A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
Token: SeDebugPrivilege	2800	tmpBF1A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3296	4820	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	87
PID 4820 wrote to memory of 3296	4820	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	87
PID 4820 wrote to memory of 3296	4820	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	87
PID 3296 wrote to memory of 208	3296	vbc.exe	89
PID 3296 wrote to memory of 208	3296	vbc.exe	89
PID 3296 wrote to memory of 208	3296	vbc.exe	89
PID 4820 wrote to memory of 2800	4820	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	90
PID 4820 wrote to memory of 2800	4820	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	90
PID 4820 wrote to memory of 2800	4820	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	90

C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
"C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3xk0agj7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC63E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D985503EEB466EBF5D6C6AC9CB9FD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3xk0agj7.0.vb

Filesize
15KB

MD5
b348347b96c52ff2f3290e2ef72fbcfd

SHA1
594315cce2c0f62c75e78eac335cf3b354f45e1b

SHA256
4121c5bae48a46b3831b61afc0101c8c7208c4f0e5f7c4760f92c1b9ad87da80

SHA512
c54b6c38a06e35e1f06e1ab1972734eccea1e1e477225fc4592b2ef53aa69a9c5c7c837f9cc2910a9e23e6a5742a6d0e764d61029fdc207dd919219bce09e205

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xk0agj7.cmdline

Filesize
266B

MD5
fb2d06b3aa014faa6b54b75aff6ec788

SHA1
c3a554cdbbc44d33b8f7eb49eefb85cbd92c5a7b

SHA256
5587ddb6b2c2fd1e48250d4bcdf3751bcaee74819f613e742a62bc0346a53042

SHA512
63c56be3808424c0710bcb2f49fd138045c8c67c79827e50940640ca8a2d86b3fd4d1e489228441daee12027321a751d12592fb6a54b7e1dd4ef1d4c39af7ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC63E.tmp

Filesize
1KB

MD5
82746393d8eee26e54f05b1512971330

SHA1
a34dc817d6650786a369bd1084b9a0923a29284b

SHA256
d1a5397567f882bc498a33f17f093a49f9888f0f1638751f0d47cd63baa01d24

SHA512
8e6302f8da036c8c1ac14eae0a5496f2c8b3d8b33611c99348f52864ced9c0898b9b8c6a81c823c2d76df3015f8b467471fe450139129e449c0299e049d8ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe

Filesize
78KB

MD5
54375c1902b874cd1b7b6071a7b35571

SHA1
cfae6795dff6cfdb2d06ccdf800e30f41839433b

SHA256
34cd9d96c7f58ce651bbeaa0050c2a01e433d2f445455ec7f732cd4b1d21d90d

SHA512
aa36465ee2b5ccf0d3b4e42c6cd0f81662301ac038ef834b13970fa2e2d1aeff0ac5393f90f63c13ecd8c4201e5a149116a517c9d025890356d02fb86336aaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9D985503EEB466EBF5D6C6AC9CB9FD.TMP

Filesize
660B

MD5
2e3d2a2fe7044fc4ce0dd0191be1e344

SHA1
3939e1b5723e10acb6b3b9a404c66ae4941ed733

SHA256
91b3108461e8862a43601a2f7c82f7c9126422cca9de35ea659f1b0d1e001a1d

SHA512
b3a8ebbb8b7886cb1efbb27a9a3afbf80259e1fd75a4c5b8ebef3fbdf0da89e8e2f01b00911e452c3a6078982986e12647f854048ab2c02cac23831f2976677b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2800-23-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2800-24-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2800-25-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2800-26-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2800-27-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2800-28-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3296-8-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3296-18-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4820-2-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4820-1-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4820-22-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4820-0-0x00000000747D2000-0x00000000747D3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing