metamorpherrat | 97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f

General

Target

97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
Size

78KB
MD5

4aa46b57e4b1c31ae996afdd8e28f03b
SHA1

0a49f02e2b13a0d06f6133ca05266317c6ea460b
SHA256

97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f
SHA512

7521aa642f56e222be96a7f9dd571684ec41e31a452b18babdde5775b917c32415731f37082941836ab9a9a344f3b1d7e31aa559c2d95f8d048d1e1d21f18bd9
SSDEEP

1536:aPWV5jBpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd61K9/R/1n+Y:aPWV5j3JywQjDgTLopLwdCFJzmK9/RQY

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe

Deletes itself 1 IoCs

pid	Process
60	tmp91B1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
60	tmp91B1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91B1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
Token: SeDebugPrivilege	60	tmp91B1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 3476	1324	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	83
PID 1324 wrote to memory of 3476	1324	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	83
PID 1324 wrote to memory of 3476	1324	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	83
PID 3476 wrote to memory of 1724	3476	vbc.exe	85
PID 3476 wrote to memory of 1724	3476	vbc.exe	85
PID 3476 wrote to memory of 1724	3476	vbc.exe	85
PID 1324 wrote to memory of 60	1324	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	86
PID 1324 wrote to memory of 60	1324	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	86
PID 1324 wrote to memory of 60	1324	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	86

C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
"C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owd_q9hx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D9D44CF9C484306B6C04F7EA1433BEA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724
- C:\Users\Admin\AppData\Local\Temp\tmp91B1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp91B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES92E9.tmp

Filesize
1KB

MD5
3ef603acf2ea7a14152086426fd90a5f

SHA1
26fd260db43a41d639a960c81b7eb199167a11d1

SHA256
d53d29d5fd4e3fbfbbe4c13db6c5d446485eab0188ce3f32dd8af21bab2c6186

SHA512
1894932356b5669ebca23100c276fc704be6916466b9052da1f7bd204c38e9f5776340326ea5d6c0b9b9765e106590c4b54f97eaca9a44115063c25babbd43d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\owd_q9hx.0.vb

Filesize
14KB

MD5
ba616c5b4ea4a664ea9230fbc7167ba2

SHA1
7228e729a74ef594a447bcce47c6d53ab1c6f22e

SHA256
cd3c5a6d0e946050e2f36e3788dd16ab76acf9e8e8b7ed38aa9107f7a6c09c35

SHA512
0f92974b87239af7d9f80d217884a719e2784f4fb02ba74b8e36435571186d0bb492c51f9b70c6433667823b277952e9fb9c3f3c2dabbcab7d6b70e679f86cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\owd_q9hx.cmdline

Filesize
266B

MD5
53c17d1b8bc762c25e0175722871d22c

SHA1
b5aca6cda56f23198665ff24efdfcc93f97fe25f

SHA256
8f62d93aa41fe9cc0e255e4d1e082aaef0faab6a121d9fbe0342bbbe802c0f92

SHA512
d6f4db50a38d5a4d536b05d3a00ad0071fe6d678baf4f8ac6ef11aa2cba0166efebeac22ad4eb8b4bce3634e64b6a814526336d542d762374970faeb20ca0d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91B1.tmp.exe

Filesize
78KB

MD5
7a910e604468bcaf91b51cb217d5fb6b

SHA1
78b358819ae0cc16a4bc4eeab3c5fbbbce4eb933

SHA256
e797bea826c64c753a7b3955784e2bd6c326e823d78c0fccee4ff42c0547ad6a

SHA512
6af580ac038c88f4a0c78f323f023be19da2d72efc997d7f2292509763bae7d61cbb296017aa6502a902b894f6c7968a1890abcfec2976352983e54f00576818

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9D9D44CF9C484306B6C04F7EA1433BEA.TMP

Filesize
660B

MD5
5a47c63137affcef1f4b42a759cbf788

SHA1
f34537c166094144bfca5b2bfcf41a8a5a9fc9b5

SHA256
c4ef17b3efbb6bd73e300877072fec08099605fc3ffe6fa338bee3d1bdd3bafc

SHA512
4ed6e23be19da0ad960b56a9c6fd0c1fc1f875555f807d4ae205e4504f85310685b9d956484d91e145839deb00bdec06213c10b70c58308e562a46bb341e9eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/60-25-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/60-23-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/60-24-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/60-26-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/60-27-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/60-28-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/60-29-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-1-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-2-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-22-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-0-0x0000000074AF2000-0x0000000074AF3000-memory.dmp

Filesize
4KB

Download
memory/3476-9-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/3476-18-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing