metamorpherrat | 9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e

General

Target

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
Size

78KB
MD5

1156991c90c7131c76450dd7f4b97f64
SHA1

71c8e26cfe81d26c3d4dfe72936115b23865f5ae
SHA256

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e
SHA512

cfdce5ada97a2af49705700bbf166b21f5d56c8755f9244f6a115915f3fd6d563bd5c6f7599c7d1f2de71a03ed86e10b0223e62806d7b6f82bb8ffe470263ff0
SSDEEP

1536:UHFo6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQto9/Bb1AL1:UHFoOIhJywQj2TLo4UJuXHho9/a1

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

Executes dropped EXE 1 IoCs

Processes:

tmpAF3B.tmp.exe

pid process

4192 tmpAF3B.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4192	tmpAF3B.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exevbc.execvtres.exetmpAF3B.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAF3B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exetmpAF3B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2732	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
Token: SeDebugPrivilege	4192	tmpAF3B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exevbc.exe

description	pid	process	target process
PID 2732 wrote to memory of 424	2732	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	vbc.exe
PID 2732 wrote to memory of 424	2732	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	vbc.exe
PID 2732 wrote to memory of 424	2732	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	vbc.exe
PID 424 wrote to memory of 4676	424	vbc.exe	cvtres.exe
PID 424 wrote to memory of 4676	424	vbc.exe	cvtres.exe
PID 424 wrote to memory of 4676	424	vbc.exe	cvtres.exe
PID 2732 wrote to memory of 4192	2732	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	tmpAF3B.tmp.exe
PID 2732 wrote to memory of 4192	2732	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	tmpAF3B.tmp.exe
PID 2732 wrote to memory of 4192	2732	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	tmpAF3B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
"C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7v9brzly.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB13F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB54CD2D6FC754543883E6CEAC16C36D4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
- C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7v9brzly.0.vb

Filesize
15KB

MD5
bc0b6d21604a9f9154451acaa84da6db

SHA1
ddbb3a3b0cb485270c148db0ac5c149b5002b5dd

SHA256
5d21d2a034f25bcdb21bccbcbb14fe4179e0a356d53f4da88c00c0f5d14139a1

SHA512
2246f79b2aa350d8e51a941998774e5dd35218d059a56cfa5b9c1efad4063cdc3928eec6e7723e00a427a806f8a60c0e2872ada4828bef81a27bfa030d00399f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7v9brzly.cmdline

Filesize
266B

MD5
1856ad133ef75e98365027069052c4f7

SHA1
1ee2c0054f6321bb419319b03f673a58adaeaf5b

SHA256
c88e1129f0c9b0b15f1eb8944115dcf8e65e763d3a012b76c23fb8e4ad955abf

SHA512
7e312a7eb5936cc9ae365bac29160ceca1d76b925d9f34887867cbbdfc93610199513396064b2ea063f033191d895c3b461cc96471f3dc15ad783f5cd761cba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB13F.tmp

Filesize
1KB

MD5
83350de4f6e6164b1bd80f72f9979c63

SHA1
7c5fc6724ded101d8d46dc9e245d6f2b981f2baa

SHA256
976e51a668a962cef77e68adef3a7600220e84a72e7251ba4f3f02cbd1085c19

SHA512
0eb4caa95b57bd86f62cad20bb2fe10722c1d5497605c28e7d77886e6f1b83886b36957e1150937c5f475eff15cce0b633969d4eb587996235d84958e8dfda30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe

Filesize
78KB

MD5
4e96e4a9bd0f042f0fe76462666a19de

SHA1
069112f0f37fec4230ec59223403e86699c95064

SHA256
1ad0593d956c45532dc8f720931706268aea52d775e80332971f5db95718bf2a

SHA512
a0050b5e3b54ba6a85f6cce4e34be8586c3ac394ffe0bbad7aa000edee62abfe5dd6b93073d3a5707dac05278b0e7582284c4fde6c9f1bc38447794e19838d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB54CD2D6FC754543883E6CEAC16C36D4.TMP

Filesize
660B

MD5
5790b4ff0d14ddd16bb5adbae9af599f

SHA1
69e749aecddcb55f6a45913f59614f973b83db13

SHA256
bc86d661283a7d461276035a636f51297cdacb9f6e301a94f90e5187818c4789

SHA512
f8d5cc53bed31dc495f5df46be8d82064e4835e408809cfa8f58b07db7a1dde7b9d0723b40cbcff36f0e19dfe609218f140e892933e89577a10291aefc6b1fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/424-18-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/424-8-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-0-0x0000000074D22000-0x0000000074D23000-memory.dmp

Filesize
4KB

Download
memory/2732-2-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-22-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-23-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-24-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-25-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-26-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-27-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads