metamorpherrat | 6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1

General

Target

6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe
Size

78KB
MD5

219ff5717a3990e5855dad3cc6ee4e20
SHA1

92be85556d7175b73487ca2bb61b8c28346a37dc
SHA256

6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1
SHA512

687c37ccace3541004b35fda14f83ad9c96d10a7f0f67168010c41fc6baf412926a290f762d687abe4ff7df51d4e5aec92bfed65fc65fbfc0bd651a99cafc1c3
SSDEEP

1536:UCHF3uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtV9/+13V:UCHFP3DJywQjDgTLopLwdCFJzV9/K

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe

Deletes itself 1 IoCs

pid	Process
4828	tmpAB34.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4828	tmpAB34.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB34.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe
Token: SeDebugPrivilege	4828	tmpAB34.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4920	2384	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe	83
PID 2384 wrote to memory of 4920	2384	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe	83
PID 2384 wrote to memory of 4920	2384	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe	83
PID 4920 wrote to memory of 2040	4920	vbc.exe	85
PID 4920 wrote to memory of 2040	4920	vbc.exe	85
PID 4920 wrote to memory of 2040	4920	vbc.exe	85
PID 2384 wrote to memory of 4828	2384	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe	86
PID 2384 wrote to memory of 4828	2384	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe	86
PID 2384 wrote to memory of 4828	2384	6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe	86

C:\Users\Admin\AppData\Local\Temp\6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe
"C:\Users\Admin\AppData\Local\Temp\6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t4bkbgv4.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC3E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9B3482873EE46E38BADE8329A8E7F7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
- C:\Users\Admin\AppData\Local\Temp\tmpAB34.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAB34.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6ed73d82e1f9b9698bcb5e2b3a1d9340a36f1233b28c78df4641afee0c176eb1N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAC3E.tmp

Filesize
1KB

MD5
0f1ebff30096b250934dc349c4d7fc9b

SHA1
7f1341f5ab05c2d316ba2f298d50c0652757b16a

SHA256
0e01119849557c6afcc87a1af4bf8385f7b52d4ad579608fa8f93b7851149b86

SHA512
7a5c00ab692173539fd4c237660412707e2e15becbbb3cd9f1fac94ce586d9db579587fb05fd30523e22982eeb0b3eea04b5772430272fb8c4c7273e202a00e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4bkbgv4.0.vb

Filesize
15KB

MD5
3953082329b17d89546d0f74f6d41704

SHA1
375c49cad1f160d95be4717f8931071bc3efcac2

SHA256
f014cef6beef9e250c324b8d9dd88ad75241421c58c14e557dcc520bdd6850d6

SHA512
54c040abf0f1ff9bde9a126da0ca1b1d1b9d661c8e8e4328327531126cb812e1e16c609ce7a70981012d59508b773085239ab53f351bd484c5f3dd76514a79d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4bkbgv4.cmdline

Filesize
266B

MD5
20f5c003060b83a39b1c3199e6ac7cc7

SHA1
5e5e956513d4bfe67644c8af0a2e52516c0faf95

SHA256
36bc379fc6314b680373a36096150ae7ca28c33e9b914529e21cb025fa2b169c

SHA512
eef2fe15659e30b72625324378d1315f6655ef51a0a7ee68b992fe26560100b0d95a3971f77d574c18c5e5d5d49ef418da15215b43301cef00bc2704177d281b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB34.tmp.exe

Filesize
78KB

MD5
1ca2b8b041af2a243f406d5134394425

SHA1
83798e664028aca14f607a32f386417dea00d4d4

SHA256
e64a36c3c686c4818d585baa3c753b29d057917cd9b445e5084fd35d33fecec2

SHA512
f95a795a573d95dc4c48890a76b0d4d46e5b833ffc56801154f866466e2f2e3bd188dae024706f2e4b2d7bb2ee126a73dded8d15a1c236fcc790902f3e4f6493

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE9B3482873EE46E38BADE8329A8E7F7.TMP

Filesize
660B

MD5
64beb6e92d9fc8ea20eeb56d639f3a62

SHA1
112175bdef8d8a5aa577244047e37e1d066b0fcc

SHA256
768bf88cb63fb2de48c98b742e8a53ec0773635289ceaf0832ec18544200e38b

SHA512
18f67acea78413087d91b73f1cca9a48508b75065b796b3f93fa9e12b772c317c8dde7ac0833e0d1e0738cf27adbbbdd308b02a351c307af3b31d779bd7f5c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2384-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2384-2-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2384-0-0x0000000074D22000-0x0000000074D23000-memory.dmp

Filesize
4KB

Download
memory/2384-22-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-26-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-23-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-24-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-25-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-27-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-28-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-29-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-30-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-18-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-9-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing