metamorpherrat | 1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858

General

Target

1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
Size

78KB
MD5

1febe87029e171a05962959110aedf67
SHA1

402257db7a85b52cbd447e31e40fe84c57783194
SHA256

1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858
SHA512

909f46b2acdcb9d27bdeea1d03e370dbf8ec9df606b4825dc367fd67380aeb4c67b395d159bc3329e3b9e929e422081a3ec02d0983b74eb3bced811d9a039068
SSDEEP

1536:IvWV5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6U9/T011hN:+WV5jEJywQjDgTLopLwdCFJzL9/6N

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe

Executes dropped EXE 1 IoCs

pid	Process
1356	tmp8EC3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8EC3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2252	2336	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	83
PID 2336 wrote to memory of 2252	2336	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	83
PID 2336 wrote to memory of 2252	2336	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	83
PID 2252 wrote to memory of 4752	2252	vbc.exe	85
PID 2252 wrote to memory of 4752	2252	vbc.exe	85
PID 2252 wrote to memory of 4752	2252	vbc.exe	85
PID 2336 wrote to memory of 1356	2336	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	86
PID 2336 wrote to memory of 1356	2336	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	86
PID 2336 wrote to memory of 1356	2336	1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe	86

C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
"C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z8ehkxud.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE13D857F2BAB477FBB1FD56E69EE777.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4752
- C:\Users\Admin\AppData\Local\Temp\tmp8EC3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8EC3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1c9258a0307f4a83355b08217d7074ec211a89b2fd70036d0552e1c6238fc858.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8F8E.tmp

Filesize
1KB

MD5
887f0b679009a470321a54781c1963c0

SHA1
34b626ca25b610b0cf0a07bd45386aef20dd66b7

SHA256
d4dfa6ae7c2ff858009bf76e740b6fe3c7224fe52299e9788b47f45dfefb8400

SHA512
e475bb6375e0001e0101fe9ffe592cf363d9322ebcac9a75bc66c17b673c6e22d0e2e93386581817c4de57458586e8f35c4a365748331d365cd25a3ea6bd58db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EC3.tmp.exe

Filesize
78KB

MD5
35228717dc30a9ef6ecee32fda6c752e

SHA1
6b289e6313741e5950639ffa14e68620f46a3d9b

SHA256
bf57c5cc5865a74482097f4dee1b37efafd6e8bcd80706ea1441e743539ff268

SHA512
1b5b6508f2894d28abe0ff51d31f6d4b3019aa397f0f92d50e279ee3bce0471946d13a767e96745cac5e3fc315d575546b7ad417719d6193f24d03ed80755bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE13D857F2BAB477FBB1FD56E69EE777.TMP

Filesize
660B

MD5
ec89d7cc3f55dabeba7b0cd14ff6589a

SHA1
4805e3680c82637f86e038cbab37b9a232fc3024

SHA256
ff52964696b5909aad8791212e40cb8ac43a35955b9f5ef690580a8d2de53c03

SHA512
1cd075ff857f13fba1752a59f7c68a2fd3bc52dcdb3e3a28259396bb946ce915829f10fdfeec20dbd422630301e774018603aa1458eb54dbc0be5a924dba302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\z8ehkxud.0.vb

Filesize
14KB

MD5
0291f6e7a7fcfd855486634f87419401

SHA1
031d79075bb957978d87827277c5011acce73231

SHA256
86c156c4ec701b8b23d1a6f10691aaf251057751431d4c7526329f0ff45d4eeb

SHA512
6d85064c9f3a28ff1765f0870d589fe40fefc39622e8a3326ce36a6879e9c98a05662f96c201dfb0ea422764e51fd955123efe5236a9a558f360da248011af42

Download Submit
C:\Users\Admin\AppData\Local\Temp\z8ehkxud.cmdline

Filesize
266B

MD5
8b1d4614de8e58634fc97ef3a9b2b3b5

SHA1
0a8a894545c7240bf1cc32702b082cb516b59bdc

SHA256
7d63b9756c18c33eab93f9e002e3971023afee7cbf253cd174e3978a8b79d98a

SHA512
bc16015d7901aff883c3f8e2df9e6b0eea30274bd357d7f73d241bd19bd234601db7b84b6232cb2b2bc82b06f3905d8483cdb8b6bfd3141d009deb9010cba574

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1356-24-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/1356-23-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/1356-25-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/1356-26-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/1356-27-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/2252-8-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/2252-18-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/2336-2-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/2336-1-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/2336-22-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/2336-0-0x00000000748D2000-0x00000000748D3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing