metamorpherrat | 3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088

General

Target

3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
Size

78KB
MD5

1a096835dc9f1a35dd3d673d90aa7e70
SHA1

07e5e8aaa36c5962799ccc141ab942418eb28921
SHA256

3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088
SHA512

c8dc3363e955793bd50820d153e760f831289f71fc52a59e90a55c993d0bf87d19137870c780d62b316bb51e891a5327209c48e3b114de89212709fd49f782d3
SSDEEP

1536:txy5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6A9/UT1hsg:Ty5jEJywQjDgTLopLwdCFJzI9/bg

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe

Deletes itself 1 IoCs

pid	Process
3620	tmp756E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3620	tmp756E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp756E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
Token: SeDebugPrivilege	3620	tmp756E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 1868	4080	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	82
PID 4080 wrote to memory of 1868	4080	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	82
PID 4080 wrote to memory of 1868	4080	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	82
PID 1868 wrote to memory of 2336	1868	vbc.exe	84
PID 1868 wrote to memory of 2336	1868	vbc.exe	84
PID 1868 wrote to memory of 2336	1868	vbc.exe	84
PID 4080 wrote to memory of 3620	4080	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	85
PID 4080 wrote to memory of 3620	4080	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	85
PID 4080 wrote to memory of 3620	4080	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	85

C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
"C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dgnggnd4.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7659.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF886D0892F96436BA191EE2254E544C9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336
- C:\Users\Admin\AppData\Local\Temp\tmp756E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp756E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7659.tmp

Filesize
1KB

MD5
06f29e9c144dc15f8416451379506846

SHA1
550c0326cad58c7a87191a2c68f43b7a184569f1

SHA256
2b615e24383a4672bc862d783125e17f5d5bda78c0082c17f087d601f804c2f2

SHA512
94785cafeaf99f351d67d449a62ea3a6f985855d9f1e6a18af099f109f80e1f2efaa1325518eacc61be154de2d53108992df60e4333bf0ee7d000bf328f4e2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgnggnd4.0.vb

Filesize
14KB

MD5
eed6958d84c5086057c0aa4dc3847298

SHA1
ebdbb849b2d8e1bbee0757c25b46dace24b9ce84

SHA256
0551692a88eec66de44dab953b3621c21d4e4b69d4686833d3fdd9fe63677331

SHA512
620e967b7cdfa69afb38045777c05d78f9865e90dbd70748bb2ca9dfbfc7e6ac47d30872e18e9543b6540b05508a20b30518ed7cb32e7a2f9dab9c5233e3f8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgnggnd4.cmdline

Filesize
266B

MD5
2c5a3a7e430764f3d5423ea3923d8ba9

SHA1
ab5079cfd83ed72d14c5c32a2596c2e16e6e8f97

SHA256
419bf4d55ffa92c364441f714caa4d63b2920c9d76832423a12a82a6b9c7ed97

SHA512
410cb0a44a025945bcc048f7ed38066cfe6448a891259bef5699d5e7c501e583f2eed4b583c590ded0f139a23ed43473a71e7865183cbfc7ebd75c85ccc524ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp756E.tmp.exe

Filesize
78KB

MD5
553d1a82b75292bafd33d857824b24b8

SHA1
697f9e9cf3a918e4058d32ae5d5f14cf83d6cf38

SHA256
e7558e1bf672c4eafd3e256fe17b8b6d190254ac9d1b04da1eee19310f8b82a1

SHA512
463a70e6e7d1e0a161655b71f00826940a1aa8b7adb76df4f725e2dcae7fb2c2f3f45badcf66256dbb402195c45c29b9fc2f0d91c25b90a5af19d2954937ecf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF886D0892F96436BA191EE2254E544C9.TMP

Filesize
660B

MD5
e1951b60cc8949f31b0cb80068c25593

SHA1
9fb4fbf0d190c924d4a2da395c91882f795111bb

SHA256
bc3d3204fc4a77b1d4c6da594f31eebdbbbf6b4235c04c0c9d81897fa7b17215

SHA512
fd87f702c9e2aacc8db0b094c6e6b9e1bd521abe2c11f6518d099cc22a4835353ba7802a1507bf1e8945a5c4ecf7d05eb6c210f025dc4d5f03bb93ed6311e14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1868-9-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/1868-18-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3620-23-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3620-25-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3620-24-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3620-26-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3620-27-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3620-28-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4080-2-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4080-0-0x0000000074FE2000-0x0000000074FE3000-memory.dmp

Filesize
4KB

Download
memory/4080-1-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4080-22-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing