metamorpherrat | 8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0ba

General

Target

8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
Size

78KB
MD5

997fdef1f74300e8381a467d3bbdac00
SHA1

352c2bf3a99786aca90e980bb91fcc05c3975e29
SHA256

8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0ba
SHA512

1b093c766ac71459a46441989b2679fae70c50bf27b247d829f2720535796872e14138da1eb3a6ec798a656d29e982220e3d37fd980b83dad1168bc95e4ab38e
SSDEEP

1536:GRWV5jVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd629/H1i5:GRWV5jDJywQjDgTLopLwdCFJzd9/4

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe

Deletes itself 1 IoCs

pid	Process
2804	tmpC15C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2804	tmpC15C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC15C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
Token: SeDebugPrivilege	2804	tmpC15C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 4652	2408	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	85
PID 2408 wrote to memory of 4652	2408	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	85
PID 2408 wrote to memory of 4652	2408	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	85
PID 4652 wrote to memory of 3632	4652	vbc.exe	87
PID 4652 wrote to memory of 3632	4652	vbc.exe	87
PID 4652 wrote to memory of 3632	4652	vbc.exe	87
PID 2408 wrote to memory of 2804	2408	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	88
PID 2408 wrote to memory of 2804	2408	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	88
PID 2408 wrote to memory of 2804	2408	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	88

C:\Users\Admin\AppData\Local\Temp\8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
"C:\Users\Admin\AppData\Local\Temp\8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3osdbmqg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC40B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17D2F1E78DEB4F7E89E5D68DF3B641E3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3632
- C:\Users\Admin\AppData\Local\Temp\tmpC15C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC15C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3osdbmqg.0.vb

Filesize
14KB

MD5
6c453f6db46b9014d86c95c6f8ff21c6

SHA1
66135c3530b2fe215598810c30f8b63dc0c113c4

SHA256
486b01e160c80b6fab70f775920bf5344046b4e8d91e39b4ed3c169c15d7c17a

SHA512
dc45c63580ac0f833ef6e082ee2f22075e5715e251d12954b0a890c9210727ddec1b51872df79ff03c9ac35c55f594bb86b6a1eb415e2bde7ca50480786e2af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3osdbmqg.cmdline

Filesize
266B

MD5
0f09905b0378f36b3ff17c6e05290bb0

SHA1
9cbf791afca4bdf7c18a6232f2928c8b44862bb9

SHA256
4aaffb703cc6debeeea2d14a06d2fc9320265ca7c55f08b857c8efb09e0ea3c0

SHA512
a9f4a1f2e8f1da94ad0cf2497016b04a98f4171d482d1199a58126fec2632b32e8d7eff2aecd647a06b30c0f901db35660c4ec7ba581106e9ff299628897999b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC40B.tmp

Filesize
1KB

MD5
9293c18d6a4174793ee895fb2d3fc673

SHA1
e5a669f06322332ef712383981704e317a1bb276

SHA256
4163d8dbbc2fac534dafbb5271ce60b6ad5d74291897889c16877b8f50934c76

SHA512
83a3dd60f7c61b80144cd34187ca45071b55439ce43905622b1019e89bb2964870e2609c221b64655eea2d8023a90e19ca64046779c559801eacfda9e7853518

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC15C.tmp.exe

Filesize
78KB

MD5
2ef423d67b93c54e9976985c415b4d34

SHA1
6484ded7bca63bffba75d4df3c99dbce90813f38

SHA256
39ebb192aff9436bbd16281532a2e1efb8f8d035e8f1fc527367195ae83e8975

SHA512
9f6e60c2e260142c233857df6f921f117e2094cc6d239b715c15101145b550a5d14b390ef2aa0918e811313354107d4fb688a10d9b525864f9d3dc27de8c2df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc17D2F1E78DEB4F7E89E5D68DF3B641E3.TMP

Filesize
660B

MD5
a218dc90c4a6b7f7d779bcf5624dbff7

SHA1
1e2ec8ebdba5b1944002399e82f97c6cd932179a

SHA256
3d94346ab0f91cee1f9065445e3a170d43904d6abc4f8a9120dffe67824eeec8

SHA512
e0b653ba50efb4c485409f8ce7259056d48fb1070742a64f2ede93a42b8d601573d100348caccbd9e3ed5552e3bd7bb783bdff7711deee4cc7e3f9be6a5408da

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2408-1-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2408-22-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2408-0-0x0000000074F92000-0x0000000074F93000-memory.dmp

Filesize
4KB

Download
memory/2408-2-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2804-23-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2804-24-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2804-25-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2804-26-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2804-27-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2804-28-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2804-29-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4652-18-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4652-9-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing