metamorpherrat | 03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0

General

Target

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
Size

78KB
MD5

3c45405aa914a6f3b5fc9b7ca48701a0
SHA1

375daa058d89e5fcf72f55bc2f05b4e267dabebe
SHA256

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0
SHA512

83eea3a03004ebf292859ca86729767b966aec648f61b12031a772a76f2fb403fa47f988ff2a1d1480a174f39d93417b703a0a22bc57f606a1aef43b14c93307
SSDEEP

1536:Qy5xpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6z9/m1ox:Qy5HJywQjDgTLopLwdCFJz49/X

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpA6CF.tmp.exe

pid process

3716 tmpA6CF.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3716	tmpA6CF.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exevbc.execvtres.exetmpA6CF.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA6CF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exetmpA6CF.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4544	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
Token: SeDebugPrivilege	3716	tmpA6CF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exevbc.exe

description	pid	process	target process
PID 4544 wrote to memory of 2792	4544	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	vbc.exe
PID 4544 wrote to memory of 2792	4544	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	vbc.exe
PID 4544 wrote to memory of 2792	4544	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	vbc.exe
PID 2792 wrote to memory of 544	2792	vbc.exe	cvtres.exe
PID 2792 wrote to memory of 544	2792	vbc.exe	cvtres.exe
PID 2792 wrote to memory of 544	2792	vbc.exe	cvtres.exe
PID 4544 wrote to memory of 3716	4544	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	tmpA6CF.tmp.exe
PID 4544 wrote to memory of 3716	4544	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	tmpA6CF.tmp.exe
PID 4544 wrote to memory of 3716	4544	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	tmpA6CF.tmp.exe

C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
"C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dhc_svqb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48BF648AA9B84328A1D9B1B44D89215D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA7F8.tmp

Filesize
1KB

MD5
0ce4bc341ae7718686c983b26280a152

SHA1
f498a2041f6f98412a84ea36829025405bf1339a

SHA256
70767902d8ccdf4b803bef4e448c5eb666d8db2717d00e573d6a9db1ae793da7

SHA512
2378e85af57ce5c5b829a730d4b9d3be7f0cd271995d1c888784620ed9ab402a69aa25a442eccb832b6b521789785e76fe125df89a7b918226484d55507163b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhc_svqb.0.vb

Filesize
14KB

MD5
fb9e9283052ab8952457b1ced2222d3c

SHA1
7d11412a546b96e59b1419a025ab3402baf19f6e

SHA256
b3d37bdf19c7cc32176d74262743406f4a61ec6e9f294de6aed97c91b07c8c86

SHA512
774237022f5bf342d5a95129caf0972045863df9ec9d0c6deb2710f30ead173fab0e76edf1ed47a9bda7e4daa675aabea589b280acfd9ee2564b442b7ac50ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhc_svqb.cmdline

Filesize
266B

MD5
4e6eee52780fa725b98403af9e3ea8ad

SHA1
ac279c7e6b8a25b078bfa0ce9a78a2199a4e03ed

SHA256
6ffc32096af854dca2b7e1f4f4caf5de6cabf127a92f355d7f187a26c166d9b1

SHA512
7b33a769597528199611e1663a2962997e1f3d2598dd5c01038189da74bca078ad322f94acca8b23dfa754a1bfedbb9908bda85c7a425ad877ab1447ccfcfe6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe

Filesize
78KB

MD5
b5b3e1ec12a1265f5471a73fb1c431a6

SHA1
15b9fe79164c6668ffc534e9ee9af1a15bbb0561

SHA256
d79e0da37611bfd381d7f50f731af9ca52e1f378920dda052fc2ffd8cb1fae05

SHA512
4ac1aea3adac8879d7f1b852235100a8a8791ca05d8ac272808ceadbd60cf5b3eb28fbd5d4c3e5faf9330a69091a4e74ea60704813aca2c28b3fa2544c29806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc48BF648AA9B84328A1D9B1B44D89215D.TMP

Filesize
660B

MD5
f4cba9d6b358102af8439c7c880fd690

SHA1
74d757483bcfb9fe9910da9133889038f4a260d7

SHA256
99599d7e36c745ded2ffa1a3681e2e7eaee6333039e510d11e854428aca8338e

SHA512
ddba63a8f3f077424c9be5df895da9a5e45c64a1eed19606aa9ac2bff6adaaddbf7bafcf1d305b943324165361ac2f0f1d7f4303ff649d209f10dc9acfde8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2792-9-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/2792-18-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3716-23-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3716-25-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3716-24-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3716-26-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3716-27-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3716-28-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/4544-0-0x0000000074CC2000-0x0000000074CC3000-memory.dmp

Filesize
4KB

Download
memory/4544-22-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/4544-2-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/4544-1-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads