metamorpherrat | f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97

General

Target

f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe
Size

78KB
MD5

3392feb439137c03347cc1e11a469960
SHA1

ba75a518a4378e9d2e1a3308b84ac918580f425b
SHA256

f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97
SHA512

6441c853c28951c0549247c55627782d161c58d660505ca322910cfec85abf3e7f6e8d135a34c35f3df1e6cae5c6ca9921791a51505925d603876031e034e7be
SSDEEP

1536:THF3uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQt09/C1HH:THFP3DJywQjDgTLopLwdCFJz09/A

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe

Executes dropped EXE 1 IoCs

pid	Process
3140	tmp903A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp903A.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	32	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 3604	32	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe	84
PID 32 wrote to memory of 3604	32	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe	84
PID 32 wrote to memory of 3604	32	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe	84
PID 3604 wrote to memory of 940	3604	vbc.exe	86
PID 3604 wrote to memory of 940	3604	vbc.exe	86
PID 3604 wrote to memory of 940	3604	vbc.exe	86
PID 32 wrote to memory of 3140	32	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe	87
PID 32 wrote to memory of 3140	32	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe	87
PID 32 wrote to memory of 3140	32	f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe	87

C:\Users\Admin\AppData\Local\Temp\f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe
"C:\Users\Admin\AppData\Local\Temp\f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\epgmrh_p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF1A3589E92C4CE584FDE5784BB6FE7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:940
- C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f58a54d237ab106bfce87ad8298f34fd76a1249dbc1415bf707978c9db67ec97N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9143.tmp

Filesize
1KB

MD5
6d3bb1865f6254ca31f3f0457a4164a6

SHA1
812b83aa9c72fe0a35c05ecf14a2be9ac8b4f8c9

SHA256
5d4d58da55620470670592d3fbeb388646003917e5933be4a3d2aaf09977c452

SHA512
0eb06170180fb060e7c65f02c74aac1515f1fad4e6d5545cfceb78dc367a0d62ffec15d1863b51a8c42d3fa45af06390077a1b90409de36917513db186bf30f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\epgmrh_p.0.vb

Filesize
15KB

MD5
61b4de779ba471ef0f312737dfb50946

SHA1
442655cc3db84ec2dbecb76f64d71b7306c5efc1

SHA256
173d774bb231fe6a9c712462561a8c32031ffad58e5d0e3ff123308d13e6be21

SHA512
346aabdb7e3aa869e84d8dad4a060617ad50596886a22b7934f2efea46015ce680d339fbfc63c81220a5843c6d005f58cdbebf5941828b3ff374268be1134c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\epgmrh_p.cmdline

Filesize
266B

MD5
1a718d3cbff780214a0c8682d581cd53

SHA1
589c3a7614926213ebea44f3e45fc2281e647452

SHA256
7d136d4a1a8b7e1014f9cbfc4cf14420103db0c4a7c7b2f3378b094627856ee6

SHA512
32f7c7d2349577a590716d1963b997dd67a5aeee788f177ababd13e1284fddfe43eac41bef494b43ace58839c2b9695a38a6607f4930e5929be2dc6dbe94b3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.exe

Filesize
78KB

MD5
4f74e41e9375661b5e686138d8200cb2

SHA1
4efd005394574329c0dd0aa402996cc44a8ef43d

SHA256
66fc788e1c88e7f0137622f03fcc6cd1fd856dfd8de2dad604e1d1ce6a87495d

SHA512
0c58baa7d1034241476421f804cf99e4e37402b9ade232db580e3d45aca2faea21e5c3dc1c2d3fb03679f17c6361218a56bcbebb6168547168c16af43b089a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF1A3589E92C4CE584FDE5784BB6FE7.TMP

Filesize
660B

MD5
3c6b1f6ff1bd0c7c710f1b5883b601f5

SHA1
b4ff91f52ea39a19a27b42d8756921beed95c6b4

SHA256
708c2ce320182ff64fee1ec9e5430297a1efac9672ec9fd74dd3b4f0f6b89425

SHA512
13bc116efa9d81b5d3569d9100ad638515385afb1a0402ab350b571b125a15de929a08dcf4aa196f2d9863674f14ef77174aef6ee485617c7a98934f346778c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/32-1-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/32-0-0x0000000074812000-0x0000000074813000-memory.dmp

Filesize
4KB

Download
memory/32-21-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3140-22-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3140-23-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3140-24-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3140-25-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3140-26-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-7-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-17-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing