metamorpherrat | 8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986

General

Target

8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
Size

78KB
MD5

6aaa8712e3a827682516810fe4519f77
SHA1

a660917f9c7caec977de9f93bf8ace9ec7fddedb
SHA256

8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986
SHA512

733215a309c7d377a284b3e4c29d0c089c62cddf08bd50a19d391eba1648a5b060cd5e86989d630dca04fedeea4b5e3553049e15428ae35271112bff3e17c899
SSDEEP

1536:RtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtR9/QQ1X1L:RtHFoI3DJywQjDgTLopLwdCFJzR9/QsL

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	tmp758E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp758E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
Token: SeDebugPrivilege	4816	tmp758E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3092	4080	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	82
PID 4080 wrote to memory of 3092	4080	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	82
PID 4080 wrote to memory of 3092	4080	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	82
PID 3092 wrote to memory of 4504	3092	vbc.exe	84
PID 3092 wrote to memory of 4504	3092	vbc.exe	84
PID 3092 wrote to memory of 4504	3092	vbc.exe	84
PID 4080 wrote to memory of 4816	4080	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	85
PID 4080 wrote to memory of 4816	4080	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	85
PID 4080 wrote to memory of 4816	4080	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	85

C:\Users\Admin\AppData\Local\Temp\8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
"C:\Users\Admin\AppData\Local\Temp\8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytsgflao.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7659.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc832D5E138F0B451F96C7D58B0DC3D4E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
- C:\Users\Admin\AppData\Local\Temp\tmp758E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp758E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7659.tmp

Filesize
1KB

MD5
a68aaac585f48057f3eab04e15738434

SHA1
d91012320277c705e9eae810611ebc553559c728

SHA256
40fec6ce704d9c5be7fe11bfd11a9fc2669dc9ecd48f3a8b684931ace5155043

SHA512
267ff3454a66b857a9abd8ca176b60ffc025490da72b42b3b99623a047e48bc28aa64cf7fd15ae3b83a6e9ca18f5d3b1c76caf93f5ef0f05fdb4c7b83a6f4ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp758E.tmp.exe

Filesize
78KB

MD5
70fd986c46cb218dcf6230629ecfe839

SHA1
1a56d97da1b78f216ac41201a695a81b9f796328

SHA256
94215455a6eb2b347e824d6a04e581d7548987fca92e28b4f047807c6a226a92

SHA512
f8bf56440d09c079f10c469cd6e8743c6a40dc09996066b8b736108372b88e7ebb165e2858c35f27e5e3044dc05a10a7ee7266d24adafe8cfd4a2173f95d3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc832D5E138F0B451F96C7D58B0DC3D4E.TMP

Filesize
660B

MD5
34612c187576b2bac1f3cf316b1bb539

SHA1
5aad982915cdaed3197ecb5a270ed14cc40458f9

SHA256
a8b9d51c2da7aca10406e47fafde6813dd35854389be2f5ec3b85abef98c1b68

SHA512
f9a82fa1f352d2766ffaa55a67416a3038afe7bbb255402d1ad1590f22108d840a311ad29851dbc466a8bd9216ce486b9586fafd87795ce5d8f0a2ebd1d58987

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytsgflao.0.vb

Filesize
15KB

MD5
d2cd74127a184ed3d27b6880f805b6d2

SHA1
10b7338c2603010351c3a7e295faa872ac8686f0

SHA256
5209452c1657b41de532d6cdf5aa940c271f259029adcc7aea3fc56349042206

SHA512
306046d9bf00e026d60a7dfa4786da625a774f8b0923d504b4751554b2a194ebb526f4cce3c076d45095db3a75576fefe12cb492b568ab6a8288f654fde1b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytsgflao.cmdline

Filesize
266B

MD5
ac7812cac34c6973ff10f05b0dffe33b

SHA1
4935ed875e3cbf82df2532dc8f1f2c87498bf7b7

SHA256
ba779813760e26510c6a702b430a29e1e861f1dbd1d06b953e66c106bdec15cf

SHA512
b11f43e06851ca07b55285f447e4836c766a37b175fb93b35094236f5b1c9fcbe693fe4e3fe569f45d2cdafc12ae3e60143ca725dcb8148d49e2659f810b6a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/3092-9-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3092-18-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4080-0-0x0000000074FE2000-0x0000000074FE3000-memory.dmp

Filesize
4KB

Download
memory/4080-2-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4080-1-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4080-23-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4816-22-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4816-24-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4816-25-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4816-26-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4816-27-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing