metamorpherrat | 4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41

General

Target

4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
Size

78KB
MD5

1b1c5df4bc7bd45362a00185c12eba50
SHA1

57072f26a09e7fd3111b6789cbe7fd483ab77e1d
SHA256

4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41
SHA512

baa086046b94b6e1ec5e33238378c103b47ecbc4123a9abfd2c725cf88be9d37fe02a930215cd8dc89277c01107fd4f7b40de6f617a1748b4d1d211a59f27871
SSDEEP

1536:gHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQte9/F1Br:gHYI3DJywQjDgTLopLwdCFJze9/V

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe

Executes dropped EXE 1 IoCs

pid	Process
1792	tmp786C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp786C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
Token: SeDebugPrivilege	1792	tmp786C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4076	4984	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	84
PID 4984 wrote to memory of 4076	4984	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	84
PID 4984 wrote to memory of 4076	4984	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	84
PID 4076 wrote to memory of 3056	4076	vbc.exe	87
PID 4076 wrote to memory of 3056	4076	vbc.exe	87
PID 4076 wrote to memory of 3056	4076	vbc.exe	87
PID 4984 wrote to memory of 1792	4984	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	89
PID 4984 wrote to memory of 1792	4984	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	89
PID 4984 wrote to memory of 1792	4984	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	89

C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
"C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnpon_1k.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD2986308420432391447A732FF93C8F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
- C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7AFC.tmp

Filesize
1KB

MD5
898f9a61566d922fd64e5f59efc8da88

SHA1
b2554bc08922010926ec2afe3fec5b4dfa00e8df

SHA256
83ff13a4a028872981aebc225b53da956ec84533271847784955852d7f5e3b15

SHA512
1e83b8c4cc70d888bf9b09a8f264dc5126a683bc0821d6badc82b501ba5ffea91f82b5c6f119d78240e4a0c8aaf9c989c954ccff0eb6402fdea029053e8fb8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe

Filesize
78KB

MD5
d5ffd4fca99a31a8736c11f6460ee500

SHA1
a74c56b060f5cd3aba0050d34e49f346924b8c1c

SHA256
2489ad6c701a55c7defbd2115d3ddaf68d31d925fffa0050ecbad0806d674eb8

SHA512
6f76ac96c30cb3615b53f137e9eb5ddd98559c7aa3a44fda60ca385c7ad0d0adcbcf37b8a842e2b8bbc0f0740c88155a1cee8131db65f1ce68600e982cc4d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAD2986308420432391447A732FF93C8F.TMP

Filesize
660B

MD5
b6b26e752e3b2d663ed7599c4b5b6c40

SHA1
1f3ec219ab0b89803063b5985469b5d84792c31e

SHA256
762098cb648a3afd7f95cb99c184929402e26320c474d1c1d370d81d571c78eb

SHA512
f5ab05daba608502ef3ce58e566a96602903b6b5131f45d138ac999cf25bc3ab9df035cda2fcdb22fe108c1e83c8d9a94db8e1435e72e3ea86151e20b20c9e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnpon_1k.0.vb

Filesize
15KB

MD5
84f1ac4b4cb61d4f1a1fefde07c67c33

SHA1
5e3571d44a06c377bcc520bdb5b003e40c5e8af9

SHA256
799283268c009e84380f00051258ae164d2140c22d0e84baf8ee0d34dfbb3b42

SHA512
6deb48edef6c2d652b651ee60701ccdc9a1ac8fca7a2b597c35c601b27b8351be134b40311879cf6c14806d03dddf16874e68ad546eb13aeb9ab8918a5c446fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnpon_1k.cmdline

Filesize
266B

MD5
008444da491aa118fb84a11a4d2959c3

SHA1
a042c802bd728291e47acda7c5068b5320fe90e3

SHA256
ee943a4196134cfd236b523e048ea17caaf5893fc8062a40ab90dc79ac29b695

SHA512
a1b4ea7d418c3025a7b76bd7c9958b0c0819996965b2ae8d4478f20350976b76f5f50b06dd695223e2f13e47cc873477dfb322ef3821cfc69c9f32b189643cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1792-23-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1792-24-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1792-25-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1792-26-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1792-27-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1792-28-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1792-29-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4076-9-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4076-18-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4984-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4984-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4984-22-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4984-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing