metamorpherrat | 750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351f

General

Target

750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe
Size

78KB
MD5

97acfa314c7c7e6d50fb1e77997bb0e0
SHA1

b1d487f5c1b84245be274e8f1b3e28503e57be23
SHA256

750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351f
SHA512

cc26cb3f38c2b88a3bfbee6650fe4206ece9c989f3db2d528e71ef59a160f46c208c01f4d23ecacab871d1ce5d693694aed500e373e827b0746ff4f6abde016c
SSDEEP

1536:ke58mpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6St9/61z1:ke584JywQjDgTLopLwdCFJzh9/C

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe

Executes dropped EXE 1 IoCs

Processes:

tmpCC1A.tmp.exe

pid process

2668 tmpCC1A.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2668	tmpCC1A.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exetmpCC1A.tmp.exe750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCC1A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exetmpCC1A.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3580	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe
Token: SeDebugPrivilege	2668	tmpCC1A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exevbc.exe

description	pid	process	target process
PID 3580 wrote to memory of 2120	3580	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe	vbc.exe
PID 3580 wrote to memory of 2120	3580	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe	vbc.exe
PID 3580 wrote to memory of 2120	3580	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe	vbc.exe
PID 2120 wrote to memory of 3564	2120	vbc.exe	cvtres.exe
PID 2120 wrote to memory of 3564	2120	vbc.exe	cvtres.exe
PID 2120 wrote to memory of 3564	2120	vbc.exe	cvtres.exe
PID 3580 wrote to memory of 2668	3580	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe	tmpCC1A.tmp.exe
PID 3580 wrote to memory of 2668	3580	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe	tmpCC1A.tmp.exe
PID 3580 wrote to memory of 2668	3580	750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe	tmpCC1A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe
"C:\Users\Admin\AppData\Local\Temp\750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ggshxcqo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE5C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA7E16B32E3646D5BF824A2531D53B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3564
- C:\Users\Admin\AppData\Local\Temp\tmpCC1A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCC1A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\750e8fcf808f11097aaf003bb8bfb04eb48f0e5bac4208dea2c401d94423351fN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCE5C.tmp

Filesize
1KB

MD5
b0fc94c14a7b2a3db70e5ac696e71199

SHA1
bec5742ce8a7b5e49ce452545bdf95bd96f2448d

SHA256
d8f31abbabad2ef9ae2279fb7c3f13a55ab716734daf3952adc32c94e0e2d92c

SHA512
41ff37333a9f78a083d6a0496bf09aeaf6ac9cccce93eeac4e0e843665e73b205acaf01b287c60201ac52b15c8da3e8c7daa2b62486986665cb0273fc4fd3327

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggshxcqo.0.vb

Filesize
14KB

MD5
1de9f8f4497080e341fcba15c12ac9dc

SHA1
ee67aaef13dd3488560eb63b6569dd7836ecc101

SHA256
41882f90356e8738f2539b745e6016def8cd5694cf966d818c4d6fa8af8e7ac7

SHA512
7885a36189eb1a6e1b7c3c7eb1996af0d36b0c558afcac8db2ee5656931d48cab531d3d17bb8dce956d526e762a18009f4c4447e0a699abe8e89a1b60acc8c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggshxcqo.cmdline

Filesize
266B

MD5
0fb0dd36ed218e76e7ee9c440a7d9c9c

SHA1
3744e27ba465dde5280651e2b9d12a1b0e174c53

SHA256
53c8c3945272f8133a8476375a44ce8bb526c2beaeffc18efa39bfbf8e4a94c6

SHA512
917a1352229cf56cab1bfbe38c4a220ac11214803bcb01cb1cb54939305eb8e2576c49f72fa7c2b3d9e043a9fd9c900f612c5ce37782f4b5e3bfaa2f697fd316

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC1A.tmp.exe

Filesize
78KB

MD5
b3c74c03239e3bfcc911d5add4d2dd66

SHA1
1d73481f1a8f360c7cfe9630ee559d7b98def1ad

SHA256
aa764a79b22d449d0aedd74c39d2c52cc32a6e642cd624309411e1fddf31740e

SHA512
01bdad415be99706c272c47e19196161b2b4024c1ff0722b8bd49cbeee87412b7941dc96004270d78a18c6f645dc432ada5968024dfcc235225e2191452b3a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDA7E16B32E3646D5BF824A2531D53B.TMP

Filesize
660B

MD5
7eb33fd9f1e129fe3532c408bbfd82a7

SHA1
dda7a316dcc7337321097ebfd00948bdde64866f

SHA256
a26de5a466a11b510d3dacded8d4c6a9d8de64affd4a31336740027527c9ae90

SHA512
144c32c4bf9efc5bf2ed3a1bccc76dfce4c8e2cc36907602fda67724086842e974102f8641e3ddb56906348cb85c8ce55d7cec23e2e35961b7a2a6caf136e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2120-9-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2120-18-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-23-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-25-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-24-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-26-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-27-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-28-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3580-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/3580-22-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3580-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3580-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads