metamorpherrat | a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954

General

Target

a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
Size

78KB
MD5

6fd1d6408ef2c4b1fc75cb8ba9517110
SHA1

a26a7ce37aa97802bd266304b5b74a0370bd48a4
SHA256

a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954
SHA512

66f874efb594de7e3954ede98f71f1ce1889fd855f09a8deafeb621114bcc266480491d98925456bb721253273759c729b914019621e70d209cf500dcc11722d
SSDEEP

1536:IvWV5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6U9/T011h:+WV5jEJywQjDgTLopLwdCFJzL9/6

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe

Deletes itself 1 IoCs

pid	Process
1952	tmp96C2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1952	tmp96C2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp96C2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
Token: SeDebugPrivilege	1952	tmp96C2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3156	1284	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	85
PID 1284 wrote to memory of 3156	1284	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	85
PID 1284 wrote to memory of 3156	1284	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	85
PID 3156 wrote to memory of 2896	3156	vbc.exe	87
PID 3156 wrote to memory of 2896	3156	vbc.exe	87
PID 3156 wrote to memory of 2896	3156	vbc.exe	87
PID 1284 wrote to memory of 1952	1284	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	88
PID 1284 wrote to memory of 1952	1284	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	88
PID 1284 wrote to memory of 1952	1284	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	88

C:\Users\Admin\AppData\Local\Temp\a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
"C:\Users\Admin\AppData\Local\Temp\a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7wszs3vq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9952.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc871868DE612644F5ABBB2E7C6112BF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7wszs3vq.0.vb

Filesize
14KB

MD5
a5b8ab2e1274681cade968182029ed61

SHA1
0d18635971d33f6d7f2f923f59c24b41a1fdee50

SHA256
7ef83ef95f3cc0622a36c606e7fdd48358f77bb744bcfa70b81f3997195ab63c

SHA512
72b0e22ef346d745e3ea1c945de410e91ace26301f53f927af46086db2390af85f95b757fdb1ace68e6158f387db07a0bd03d1be1f5c0bb20399347063b400d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7wszs3vq.cmdline

Filesize
266B

MD5
058af754dc8fa7c57c94553623bbcc43

SHA1
32fb2a6aa8aa78f52afd4199b86286d0b75a10c2

SHA256
d5862e53d9f115ba1446e4fc524363612a381c8453feb8d4562839c85abfb9ff

SHA512
ae46beca1988e82a4d634ca8732a706bdbf512072a3171f7cf68f88b3c4a3058f545ed927a9d5195b4abd4e834704edcdef2567c029173a92c6af0d564f6ff38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9952.tmp

Filesize
1KB

MD5
1961918fd68f67811ba7a422f2538926

SHA1
8ee09388fb2d33b71bee2a59074faa867aafc494

SHA256
49e8608389af6a44c1930ee733d1b500c838e19c2a7a716441ba3f86b422f627

SHA512
c263666afd3c851f86f67adc91eaac24ca2d8039b767cae660cec3cbca5628b121dca0e987d5b2f0d64fd308b8f5574c83f199c8da8f568d22dc5d55812a66f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe

Filesize
78KB

MD5
091a82b356f3bfa42c69f0cb09b0d196

SHA1
2a5ea651ff5b6f96b8dab3a96c56c14fed6ef3b6

SHA256
8e5a0857c2def0a1696bb37e2e30f32354c391428e86b80cba3fb42cd912bd83

SHA512
892ac395e50d563d051e60e69769295596801fb7981636d169625234d0af6c833ee3854130cb04a7bfbae39e2fa1902f642e59d46209bd38bdd43599fbae07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc871868DE612644F5ABBB2E7C6112BF.TMP

Filesize
660B

MD5
8edb0db0810e7db3b678904807e76f40

SHA1
06901b718597fb0993672f9748a966a772f187b8

SHA256
78ca6e48d5a2958935c623fcf65ccd20e0b3df47d1fc4e217070a26544d2efcd

SHA512
3be68dcf6684540cd961b9e3a6e216a089b1724a1110212b5202121a0bda67ae7f9628520a5990ea762f92fa806b00efafe94f255ba6666fcbc4a67e33737c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1284-22-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1284-2-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1284-1-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1284-0-0x0000000074822000-0x0000000074823000-memory.dmp

Filesize
4KB

Download
memory/1952-23-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1952-24-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1952-25-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1952-26-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1952-27-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-9-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-18-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing