metamorpherrat | cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94

General

Target

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
Size

78KB
MD5

ca7583847cf90a0434f961c3951d08b0
SHA1

d639286f4cc2cd8ac5c8d484519ee803f0983699
SHA256

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94
SHA512

7c102cb7ace48ba871ccb3daea3a720bba98930aa73140c2cec1ef3c76ee706c98655b73c8e22d88c058e8f7af0996f3c8e81ef78dc20157d13ae52f65ebf847
SSDEEP

1536:bCHF3JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQt1t9/0H1ow:bCHF5IhJywQj2TLo4UJuXHh1t9/s

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

Deletes itself 1 IoCs

Processes:

tmp884A.tmp.exe

pid	Process
1496	tmp884A.tmp.exe

Executes dropped EXE 1 IoCs

Processes:

tmp884A.tmp.exe

pid	Process
1496	tmp884A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exevbc.execvtres.exetmp884A.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp884A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exetmp884A.tmp.exe

description	pid	Process
Token: SeDebugPrivilege	3892	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
Token: SeDebugPrivilege	1496	tmp884A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exevbc.exe

description	pid	Process	procid_target
PID 3892 wrote to memory of 1552	3892	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	83
PID 3892 wrote to memory of 1552	3892	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	83
PID 3892 wrote to memory of 1552	3892	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	83
PID 1552 wrote to memory of 4376	1552	vbc.exe	87
PID 1552 wrote to memory of 4376	1552	vbc.exe	87
PID 1552 wrote to memory of 4376	1552	vbc.exe	87
PID 3892 wrote to memory of 1496	3892	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	89
PID 3892 wrote to memory of 1496	3892	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	89
PID 3892 wrote to memory of 1496	3892	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	89

C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
"C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yuignblg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8993.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41EC762CFCC142489B8E30E6134D96.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
- C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8993.tmp

Filesize
1KB

MD5
d1c40fd0d86043a4d1cb39e0e9c6587a

SHA1
aace5b93bfe7d1d1d0be88020b7edb708e47ad22

SHA256
b5430964be77c20f0d615c14c41f4d3408cdf79a165cd2b6abb58336e2b06302

SHA512
ac06bd211627c16141a2370b56609eff40c2c9f0e75fb7cd94a3b88475fd20805d936f96358a032a43168e770c63c967d4b82de83383747353090930dda3f0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe

Filesize
78KB

MD5
6b6f41912b0b687b3ce6cd2747993f83

SHA1
87033edbad1dfd1902235b586467131b9e2c6b57

SHA256
46ff22bb3681f0a5d917f4781e7b457c81a5251bf68016997366bf563a0640da

SHA512
290e174914671674ef734ddcd54731ab1e2b9ce5a6fd121cf3cbdf19aec32668175e4873515a1442c81fc7ee575a3778399c57fd14c90f2877b9695387c2fee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc41EC762CFCC142489B8E30E6134D96.TMP

Filesize
660B

MD5
22d9375175e87a3c8110e176b2580cef

SHA1
b86771ec7291b2235438f29a800b9d781e31e3ad

SHA256
afeba67c3efb909108df641e27a6f96f626d25c08e617147735444a0a4303a0d

SHA512
3e3d4a2d8efe2c437fc9c771f0dd5a4611edde9e99ae7c36af59ad072361c7399c67e0147e2166a1fd331480f78ce740a2eb340c62bf5330d0f880fc1353d612

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuignblg.0.vb

Filesize
15KB

MD5
6033a45f60a56133f940c48b74c15973

SHA1
e073f56ede861d9ae9df3d533c615c96c8b9f274

SHA256
8025b6468bd6cc9484aa23a963b333ef9bcb3864772274c667589ed19d1ba8a6

SHA512
9e3b5b7d220f096d9ef64db7cd708373d1a6199725bfa2d5158a6c30341eabb5e363aac225a7c5f6cfd7527f186461782a633bca728c86f954fdb61ad6324f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuignblg.cmdline

Filesize
266B

MD5
184986374e84499bcf6f693870a76b3a

SHA1
ce4a6fddfac7962cc8a146c8eeaf0636141ddc23

SHA256
18404405d40778790cc2414c3a1eeeebbcb066c1d245126f9d1d60d6675734dc

SHA512
39cc0c450607cba9a3b39e4776dd0aad3cda08ec46eecc57431794ad8e4c42a89595acee681d87e1ad7a88d345c328e9fe5ec12c351df52eda41a3ff3692bf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/1496-23-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1496-24-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1496-25-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1496-26-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1496-27-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1552-9-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1552-18-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3892-2-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3892-1-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3892-22-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3892-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads