metamorpherrat | c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd

General

Target

c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
Size

78KB
MD5

16e8f2f151fb0d552a07d5cfc36aa121
SHA1

bb2267c5bae6c55fa3a85f39bdf75faf8d7aa231
SHA256

c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd
SHA512

b66fe62f462cb59943d828a5561730bd9fe73b3df87e57d702df9d0a3cf243f2f546eb67e90e3700c715af38c579d82f60591a5cb0b5c4ddf345e249669d1f65
SSDEEP

1536:qCHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtI9/YCa10b:qCHYI3DJywQjDgTLopLwdCFJzI9/YC9

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe

Executes dropped EXE 1 IoCs

pid	Process
4232	tmpB3DF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB3DF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
Token: SeDebugPrivilege	4232	tmpB3DF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3760	2996	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	84
PID 2996 wrote to memory of 3760	2996	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	84
PID 2996 wrote to memory of 3760	2996	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	84
PID 3760 wrote to memory of 1772	3760	vbc.exe	86
PID 3760 wrote to memory of 1772	3760	vbc.exe	86
PID 3760 wrote to memory of 1772	3760	vbc.exe	86
PID 2996 wrote to memory of 4232	2996	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	87
PID 2996 wrote to memory of 4232	2996	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	87
PID 2996 wrote to memory of 4232	2996	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	87

C:\Users\Admin\AppData\Local\Temp\c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
"C:\Users\Admin\AppData\Local\Temp\c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lllqjxpe.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78801904566C46ABA3FBA7D36AC6F3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
- C:\Users\Admin\AppData\Local\Temp\tmpB3DF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB3DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB48B.tmp

Filesize
1KB

MD5
4cea14572fbda4ee908a0d3f575c996a

SHA1
e4b944e14753d495eaf97caf64a6f9deb547fa08

SHA256
f5ab60a529d6585c26385dbb2df350238d110ff7189efa866a0c4b8732e2922a

SHA512
cf723361ba57385d4b424065bb281aea6da5c42e3f869481e3254d8927016215898fbac80968729582b75788a318f2bcbd7612f562ddb5c9ca347c75dc1740ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\lllqjxpe.0.vb

Filesize
15KB

MD5
48e3140059812219e289556aff7788fb

SHA1
c001cb635a0e1fb29c971f4b45eeb571bc0babc7

SHA256
18baeb7b9256171c041367ecba40a172157d274ce9f32661857c9dc82cf50b0d

SHA512
59deed2ca7febe7a697fe2771e0fb356e6d2185fddb14b05e81c30b8b3e4ebaadf6e497bd6d0df8149dbf3d46a11dd6ace85b86d48981d130c5bd31cca8b42d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lllqjxpe.cmdline

Filesize
266B

MD5
f0cc528b334c18ef8c147f109f6590a5

SHA1
dd8e7317625aeded56e8ef54d8a78cf76b0588ac

SHA256
3871bf189d8b556f09b9c386cd4592f1a95ee6b8c6f8834a3dc5559896380238

SHA512
6e38e251232c9ae943820aacca0689eb4e3ff14fd843d9fc968709c2ac0422adba456f919e1b3c8770d1dae96cb3f6df3db2cb9beb20de837d513d41ad7f27a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3DF.tmp.exe

Filesize
78KB

MD5
c80b138da331df2e39542724831bb49d

SHA1
160e3c27bd3df191952cf9310c4e3baa59deef06

SHA256
cff4be7f6a347f83be44cf8280009ea8fc61796d26a6cc11098fd5295b3de656

SHA512
9155e9f589897166b2cb9725fcabaf0f80c060da55ad2ddbbb8c2922f919c422b71a8a68ba7b4505ed784c40524f50180a6ff89a8fc3c9913c2e0e97b3fbe071

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc78801904566C46ABA3FBA7D36AC6F3.TMP

Filesize
660B

MD5
e1c85d8ff8a3dcf6480edb98e98cd1d3

SHA1
e57527a470343636d28ab68531bc492fe675db3e

SHA256
115b4d4532ebf214dd15db60bd8f36f60528ef1b709b3891f8e4c6d242a3371e

SHA512
55213f4090efd664f5f054c5f4433977b01e17b608079030ee721b0a5d20917a4f0dc4b0b6f8f1aeb595ebcc0ba679975ca916b4f6031db66e3004b310d23339

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2996-1-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/2996-2-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/2996-0-0x0000000075392000-0x0000000075393000-memory.dmp

Filesize
4KB

Download
memory/2996-22-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/3760-9-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/3760-18-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4232-23-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4232-24-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4232-25-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4232-26-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4232-27-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4232-28-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4232-29-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4232-30-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing