metamorpherrat | 563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9d

General

Target

563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
Size

78KB
MD5

f38bc08a5b9970411bb240e1e7da49b0
SHA1

591354c4286d1c199deffc0438ffa3b26639a249
SHA256

563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9d
SHA512

3d0cda4cff3f358ae19a7c0f1fb6cc1e0d1d51aee856405350271b9a2a965739374832d3aea6f078823d7252443a923a8cc6948c7da6bf856781c11fcd970bc9
SSDEEP

1536:9Py58/pJywt04wbje37TazckwzW4UfSqRovPtoY0BQtv6k9/1i1ud:9Py58BJywQj2TLo4UJuXHhp9/15

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe

Deletes itself 1 IoCs

pid	Process
2288	tmpA7F8.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2288	tmpA7F8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA7F8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
Token: SeDebugPrivilege	2288	tmpA7F8.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 384	468	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	84
PID 468 wrote to memory of 384	468	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	84
PID 468 wrote to memory of 384	468	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	84
PID 384 wrote to memory of 3764	384	vbc.exe	87
PID 384 wrote to memory of 3764	384	vbc.exe	87
PID 384 wrote to memory of 3764	384	vbc.exe	87
PID 468 wrote to memory of 2288	468	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	89
PID 468 wrote to memory of 2288	468	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	89
PID 468 wrote to memory of 2288	468	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	89

C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
"C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg4timyl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1414D88568A4108BA8E5A912675D22.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
- C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp

Filesize
1KB

MD5
b4f199c8e0b24ad9275a0314caab9c0f

SHA1
476d9634c77f3e298bb3b3aacdf6601b106dd30d

SHA256
90f6109d4894e4af36253959862a4266cf6b52971ff25e81ba3147fceb179563

SHA512
df31d501528ed5e64d86e830e7d05ebceee009ecc1829701fa41960ca907f31812e4ee888198c9357b0b88680653243c3f64713f98f18b99e28fdc4f3013182b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe

Filesize
78KB

MD5
f6f3cfc918ecd30f912d6d265fc530a7

SHA1
629e842e65c879fe4e1b1cbe4751ece658a2f1d1

SHA256
7f9ba20e35a42b8bab954c1dbe72e608becb8dab7319fca20b7cbf23d5f2a143

SHA512
c3e12b753876d2005aa314605c73543e2d42f4cf5294659cec2dc6a38c9655357cbcc869aa861d01dbd1fbdcaba5beea4408a6df83d3b539203a27cf28eb331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB1414D88568A4108BA8E5A912675D22.TMP

Filesize
660B

MD5
7e582bb4b7da5f99717544f480e3b749

SHA1
40596e8fc3c8d3977e52c5d7456df1393885dd82

SHA256
23e7c1c68cb86ea6d4b28ead076c71bc6fd0ac5661feedca6f53c5df99fd06d1

SHA512
4d67874fc4d0df31f9b8293d62b69b491eb6a44cf129ba43e542d53794327cdb7eb1f602a0e1af0f6e706d94e9dba7c6d6a118ba1dba88eaf1559e009fc0a704

Download Submit
C:\Users\Admin\AppData\Local\Temp\vg4timyl.0.vb

Filesize
14KB

MD5
60b2b03bb9bc80a9e16016d8d52c1fd2

SHA1
3f454e70b0171e156ef5c2ef032f78487a723c0c

SHA256
1dca1ca32dab8228a062f1f7c57938fe9877dbe8a7ccef836f271ea7635e4242

SHA512
e497bb66567e9aebcacd1fc28dc61a54d9c1ac8e7695725fda00b954d55abd0bee20634f40de8a37eecc59f422fa3759d4c5f6ce03faa9d3b7f4ac5f5aabf459

Download Submit
C:\Users\Admin\AppData\Local\Temp\vg4timyl.cmdline

Filesize
266B

MD5
cc9f0385a85cd56fec0a96414db80921

SHA1
edcf690d27433270aaa568899aa49346b79849fe

SHA256
3e3d3a71e44176201552ed32d7ca5b1455ac487543ed16bc259449dd06053023

SHA512
48dd6aea34097c498d1dca3e24293209deec06704deb52f12936975afbf48dcd6f52dd56e5eb8e04a5373987305942b841573abddfe8c66fa973a826e024ca61

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/384-8-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/384-18-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/468-0-0x0000000074A32000-0x0000000074A33000-memory.dmp

Filesize
4KB

Download
memory/468-2-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/468-1-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/468-22-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2288-23-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2288-24-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2288-25-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2288-26-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2288-27-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing