metamorpherrat | 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858

General

Target

1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
Size

78KB
MD5

1febe87029e171a05962959110aedf67
SHA1

402257db7a85b52cbd447e31e40fe84c57783194
SHA256

1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858
SHA512

909f46b2acdcb9d27bdeea1d03e370dbf8ec9df606b4825dc367fd67380aeb4c67b395d159bc3329e3b9e929e422081a3ec02d0983b74eb3bced811d9a039068
SSDEEP

1536:IvWV5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6U9/T011hN:+WV5jEJywQjDgTLopLwdCFJzL9/6N

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe

Deletes itself 1 IoCs

pid	Process
100	tmp9B65.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
100	tmp9B65.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9B65.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4108	4444	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	83
PID 4444 wrote to memory of 4108	4444	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	83
PID 4444 wrote to memory of 4108	4444	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	83
PID 4108 wrote to memory of 4520	4108	vbc.exe	85
PID 4108 wrote to memory of 4520	4108	vbc.exe	85
PID 4108 wrote to memory of 4520	4108	vbc.exe	85
PID 4444 wrote to memory of 100	4444	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	86
PID 4444 wrote to memory of 100	4444	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	86
PID 4444 wrote to memory of 100	4444	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	86

C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
"C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aqhx4fbz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33BE59FD8CA43D6B21CD8EA6ABA276B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp

Filesize
1KB

MD5
ad2a9e4284e844b8c243142050544f20

SHA1
bb8e506fea711f3de4ee5428545bf67168c61431

SHA256
f15c1e0a71ff082da1d4c274f2dd7f667ce64636c26c1fb91ebc572aff0f6461

SHA512
830bedcdaaa762ee6e8c10573a6cdd0a85aa649fba1e54600a9c05078e14e4ca358477847531589acea3bca0bb83f497c19aeba65102cd9c84580f1a819dc6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqhx4fbz.0.vb

Filesize
14KB

MD5
935d50e705f3fe763a795f1e281dd68a

SHA1
a00b87a4d3d8b99007d5df0fa48d8c48d77abbd7

SHA256
780f1b8d48ff088342a5aff9086b695ea4bf79ed2c0d59ebfb4ff0e6432bf659

SHA512
99a53d9fa2bb08151b123121404d151658303083927403ae4c3cc213c5260e7542c1c58ec2c4a4af9cdc7d5e1ac566cb800d2c4361c0c6cceb2609d011fb3782

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqhx4fbz.cmdline

Filesize
266B

MD5
ca7ed35b06686e1179c9de72a5231866

SHA1
be6c5e6c0dbd71a398427b877949be6354341406

SHA256
249ad4846c076aff1daa49c7227f491dda1c2963e54e49ecc9dbe35b4f6d3cbe

SHA512
71f16633615d70a4f9e86850d0228b8a99d824f72bc530e2cc9660334613e3d86d2261512fd2e74e0fccc292ac689ed9307bbd6807dfc40f2b96a29674acf628

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe

Filesize
78KB

MD5
f2bf97d53e9ac918bf32e1b426d57f1f

SHA1
bbbc93ea803b7ad76556ac993474265acb784a81

SHA256
54e23aa9e0dc9825ce277c616376b5e613aa34ccee1b5af085aafe0d31ceacc4

SHA512
270cbe010e8126fcd27a455ad103d35ca43c742df29a3f4e415e260de73f8fbe53ad309cc3ee89392acd3c5b67aed6182769631f2ec302db6848bb1ec7d3ace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc33BE59FD8CA43D6B21CD8EA6ABA276B.TMP

Filesize
660B

MD5
4f20f9b0f8634e74c2aaa12812d8c588

SHA1
df7fdd79f89fe4ae8b611a1ac06c94507f13e050

SHA256
e738cd632f54f4206bf2fc739f9a96f9a379d028a22da28f3f931750a39fb0b7

SHA512
95c20cb1f01a5563e7d5fa1547f6d3b639f36d7473df45fc78818b8df6b0cc30869d20f979d2a958ac9e3e5737ebd628a0dd7791cf88d886859ac4060c8bc14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/100-23-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/100-27-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/100-26-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/100-25-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/100-24-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4108-18-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4108-9-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4444-22-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4444-2-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4444-1-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4444-0-0x0000000074752000-0x0000000074753000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing