metamorpherrat | d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8

General

Target

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
Size

78KB
MD5

12d67b325bddf3008d6a2bbec29d76d4
SHA1

45b0bdace068df0c2e09da72f0159d0b56b1dcc1
SHA256

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8
SHA512

c495859022f6bccea7d6c181383b189308cd064e20fec06ac0a125cc67936868b2bc796d51c52a16030427dc8ee24e9f2bff8f51146de51eb02e144dc775771d
SSDEEP

1536:LCHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtG9/E1dV:LCHFoI3DJywQjDgTLopLwdCFJzG9/q

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

Executes dropped EXE 1 IoCs

Processes:

tmp803C.tmp.exe

pid process

2324 tmp803C.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2324	tmp803C.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execvtres.exetmp803C.tmp.exed3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp803C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exetmp803C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4308	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
Token: SeDebugPrivilege	2324	tmp803C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exevbc.exe

description	pid	process	target process
PID 4308 wrote to memory of 3120	4308	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	vbc.exe
PID 4308 wrote to memory of 3120	4308	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	vbc.exe
PID 4308 wrote to memory of 3120	4308	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	vbc.exe
PID 3120 wrote to memory of 3656	3120	vbc.exe	cvtres.exe
PID 3120 wrote to memory of 3656	3120	vbc.exe	cvtres.exe
PID 3120 wrote to memory of 3656	3120	vbc.exe	cvtres.exe
PID 4308 wrote to memory of 2324	4308	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	tmp803C.tmp.exe
PID 4308 wrote to memory of 2324	4308	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	tmp803C.tmp.exe
PID 4308 wrote to memory of 2324	4308	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	tmp803C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
"C:\Users\Admin\AppData\Local\Temp\d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d6dy7tkl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8126.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF055A6C7130448BBE4136228EA59085.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8126.tmp

Filesize
1KB

MD5
31abd572ec84bbf6352f705961680929

SHA1
0627cb19c4a72a44a7717ec3d43bcfec28fdd337

SHA256
e1481750db6760b821bfbf47fc09d8ae1bc5c14f4272085352760fcb80f31777

SHA512
bd194a59a3e69f34625e902b17673ee9810eabcfe35c68ffde400441a53faf56a4b8ab553cbbeb14e121998ee91ba16984c09172369edff6014c8a7592f05501

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6dy7tkl.0.vb

Filesize
15KB

MD5
dd6f902c19de1b3932e5de60613f58f4

SHA1
b92986a1b0898a82cde6973870fbad8b8fabf39e

SHA256
ce1b49e69620b65d2a2b19c0cbd77917279e999138706068ef274366b778c3cf

SHA512
1bb4b1aa5b2371b0bc6b85b6da3d1e049ab1dd47e12f65c02a15a943946cce366bad9a92230a6f46ee90b9d3fa13c05adb87dbb7f9a2dbb75edf5d76013c3d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6dy7tkl.cmdline

Filesize
266B

MD5
83352f043a9f5304847b37e3c51d2764

SHA1
4c8abe32b68cbd2f958ac9600ac7316b45b39389

SHA256
1a27f1a0944e2979b0ea33850db01ddd7b5ca91c4ab65e1167ba045cad52f8be

SHA512
009fc72acb0e2fac0a0d69103757281abd2cfed57948c511058fd3e9a31601b1a023fa75039a4648dc3375507b86392801f24432dc68b6d4415cad23d8c25ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp.exe

Filesize
78KB

MD5
c02a72c1ac68d8c44ef01d5d172c9a02

SHA1
fc84ac560a6051156171b631b54c0827cd495354

SHA256
089128081eb6e9213fe9a9c7a7e8546d6626072cb6e198f00373b4475c4fa523

SHA512
ee25aae534bf1e91967ca94f8b914fdb7e02f0728aca9cc729974ab093a9e491dadadf5aef597e0b7ee3c2507d99e194b85ff4f40332ec59b1985f0bddaffb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF055A6C7130448BBE4136228EA59085.TMP

Filesize
660B

MD5
86c3c7d554b76e05157d76c39f5fa1f9

SHA1
86c3c0c2f7a2d8127765f8b41cf48fb06c619a74

SHA256
2b6a2e1cef12face84dbb015400357f377cf5954bfe06d75ea5e98c918f5a2c9

SHA512
61ace03d1940bc57458319398bb2b7291f0ebc4b9d80220d23aa1eefb9cbe3fc1ff535404d71340d8488e232c62bcad823a367508ee52ce9980bea579ee7e25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2324-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2324-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2324-25-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2324-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2324-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2324-28-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2324-29-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3120-8-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3120-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4308-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4308-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4308-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4308-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads