metamorpherrat | 707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465

General

Target

707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
Size

78KB
MD5

9962927752e377c54ed74bee9d3d4242
SHA1

92b1bfe41fb3e7e9bcd399400017c2421338a4de
SHA256

707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465
SHA512

371f9f73713eaa3ff8a5f308eb0268ceafc7e6ae55a3e7268bf556cb5bbedfc907875c9734c0f34012303cb829aeff597b06edb3072fb01a5cb03b19490471ce
SSDEEP

1536:NStHF3uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtL19/uw1HzH:NStHFP3DJywQjDgTLopLwdCFJzL19/hH

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe

Executes dropped EXE 1 IoCs

pid	Process
548	tmp6CF2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6CF2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
Token: SeDebugPrivilege	548	tmp6CF2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 3144	3644	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	82
PID 3644 wrote to memory of 3144	3644	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	82
PID 3644 wrote to memory of 3144	3644	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	82
PID 3144 wrote to memory of 208	3144	vbc.exe	84
PID 3144 wrote to memory of 208	3144	vbc.exe	84
PID 3144 wrote to memory of 208	3144	vbc.exe	84
PID 3644 wrote to memory of 548	3644	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	85
PID 3644 wrote to memory of 548	3644	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	85
PID 3644 wrote to memory of 548	3644	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	85

C:\Users\Admin\AppData\Local\Temp\707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
"C:\Users\Admin\AppData\Local\Temp\707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rje8s4yv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69504EBDE0614EA39C4C1A7DE63DF9D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- C:\Users\Admin\AppData\Local\Temp\tmp6CF2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6CF2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6DDD.tmp

Filesize
1KB

MD5
c87d7e942da67eda1d85922946e62322

SHA1
38c0609f8a016a55254430e3a34e77252a939e5d

SHA256
be7dee024206da96e2009667176e151f2da37287bc55b263bb7da4fab39097c8

SHA512
62f2a246f130dae745e6539f2bf4b8cd358c25851f632894e069dadfb9974bf5b0c3fb8b231edaa0563b977cc990e1d5eb598a23643c8002e7db61b3c71488e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rje8s4yv.0.vb

Filesize
15KB

MD5
0d63bceac98890ba01c081098992ec10

SHA1
65d23756532a2aaa6d4cbe5bc23d2c7bb576f037

SHA256
7e1de046003b99847a979888e26254bdf496b8997f95d808bc24d18d2aafcaf5

SHA512
e42223e47f855e41139148d1d283204a8294190c74f56013dab4e175e9562b4bcc052eb17a55ba996469109aa29d688d9b45d1f3e475f0edc6ca5f09b8258983

Download Submit
C:\Users\Admin\AppData\Local\Temp\rje8s4yv.cmdline

Filesize
266B

MD5
c58683b3fa28104091955708b5f8f6a0

SHA1
3bb353c7815a54fa4197e9d3995be393f621a3d8

SHA256
dde66b92a2d04cfca549d970993df48a8541bdbd42d1b4ac39b033ad0f62242d

SHA512
00cc694a9acbc07a97edde78ca05832067027afc9d649cc6eb38497287e56eeb5b1bd3152b7a90116df4cf8f1bef77bd18ec9751d24bfee09f4b2416df70d5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CF2.tmp.exe

Filesize
78KB

MD5
cb50b2e9dc6ba4bbf5e4b9d08d50d30c

SHA1
b4f55d124c1335e1591443a788c199e6cd6e8695

SHA256
96bf5cf374da52c51b966665a073ceedc23937c1801ace721af82b7ea763b5e5

SHA512
61d191e1d3ef39c830995f525a9851dfb5cf6b65182479e74a76caad02df1d2498a435a4915fdb7a879efd12b0cf92c7a76f49351ca158a4431862a2b632d613

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc69504EBDE0614EA39C4C1A7DE63DF9D.TMP

Filesize
660B

MD5
bb30a8bd76c15352ec537088228273c4

SHA1
26bb11c3d7c076ef70a668e732170ad3c75e07d2

SHA256
d696c50266011695b8c4b2a67efb7b36a43c3aa62fdf1ad2e2620983e8b38c71

SHA512
dc6b51c52d4962a88cda37f8e52e4d691ead3c297397123769dc647e03ba16d835d2563e35ed3c927133cfe0940f6116f23c13451b51e15190dd5d2d4ad7573f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/548-27-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/548-24-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/548-30-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/548-29-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/548-28-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/548-26-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/548-23-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/548-25-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3144-8-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3144-18-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-22-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-2-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/3644-0-0x0000000074C02000-0x0000000074C03000-memory.dmp

Filesize
4KB

Download
memory/3644-1-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing