metamorpherrat | 9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7

General

Target

9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Size

78KB
MD5

26bc9c6cfdc28d2c53a97cb4e78f8140
SHA1

e2f51aea0e5f8f4802647b4e74871ce66f51dfdf
SHA256

9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7
SHA512

60cd1513cb80b56513b150fcaa757e39670fb1f8ef97f6da9abc50b40b19d19ba34ac589ffacf97fded2afd04f1a4fc156d743fe51753d359222daf7a7c75343
SSDEEP

1536:RsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtj9/f1GCm:RsH/3DJywQjDgTLopLwdCFJzj9/Tm

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe

Executes dropped EXE 1 IoCs

pid	Process
3936	tmp7927.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7927.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Token: SeDebugPrivilege	3936	tmp7927.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 1444	464	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	83
PID 464 wrote to memory of 1444	464	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	83
PID 464 wrote to memory of 1444	464	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	83
PID 1444 wrote to memory of 852	1444	vbc.exe	85
PID 1444 wrote to memory of 852	1444	vbc.exe	85
PID 1444 wrote to memory of 852	1444	vbc.exe	85
PID 464 wrote to memory of 3936	464	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	86
PID 464 wrote to memory of 3936	464	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	86
PID 464 wrote to memory of 3936	464	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	86

C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
"C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ibeg5oed.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DF9D17C3CF54840AEDEE88EA9088C7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7A31.tmp

Filesize
1KB

MD5
ee32b363476626fdb76402ff7cbe415e

SHA1
bc5e54ac509c41857b3989582a3fb7cccc5eb002

SHA256
3b185061ab282f488a241f0e7ec01b336acbfdfcc1662c25638cdd49871e307d

SHA512
0a6da999c7b5da7f1fa0c48a70132f9da9af82d273a3d700aa43262c31ae706cf7399ac25bd98434065cdf2938daf5156183520d4b850a6ddc4d98fb1c78f8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibeg5oed.0.vb

Filesize
15KB

MD5
e2921057c07d81f8f8aa5a86d8f694d9

SHA1
855579275bfbabe8db3c055d51d2c8969372351e

SHA256
44fcffa67f64f1b65a8af492b5db60bfeadfea25fa6d7b46631da034452ae86e

SHA512
504acabd2a28fa30c4686acb71a6cb4f5573a7ed9c1ef0cf8a0f8520c45495253835ab13719c551587a05a2dda2486c83fb11a5ed3e764d33897ef697aaba828

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibeg5oed.cmdline

Filesize
266B

MD5
00c5753cb45965071af48f601416e8f7

SHA1
0409e0b85d15380a0ecbb734c031ff9400a9b05d

SHA256
e48a640a967c23b6bf4519d73751c5c042a80e742ff91a139b45d264c735a3e7

SHA512
0e185ef3ee1de2d6eb9c3592b60c7ac1ae230435d3c81097e3f9e16f9816394a91d5993718a9f02289fc4d333565c263352193080029b2117f7e5b33c7887768

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp.exe

Filesize
78KB

MD5
787cb8b79d55d1e81e7bee5ef5ba9960

SHA1
a9f73932697698981328c03c6988d70ef83e383e

SHA256
926cf2deb6a8bc3e952dd99197a82244c33326e1d2ff3ff2528da787100b0b36

SHA512
7d05eb1a57ffe7470a9400eb501523e6781727a4a4ec99f594157ed749cc1df6cdcdd401f2e5f52fa0922e45fd8c7a75741a8085a27f3acfadbdefadb5fd8944

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DF9D17C3CF54840AEDEE88EA9088C7.TMP

Filesize
660B

MD5
edd11a2833826230eb4612d1e3d57b8a

SHA1
c58b63344111bcf65b0a695223e7b754a25d6df0

SHA256
552b40fdaf3f85676b95129b10e29414a693f5621b87cefb911c07ea33d010ea

SHA512
41abab70977be03e28c2d132e4c257998c1536bb16868962e223f37aa8ba61bfd17000b50ea706efe5429a428522c0f8e200ad4bcaa16313efbe2e82a77d326f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/464-22-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/464-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/464-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/464-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/1444-8-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1444-18-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3936-23-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3936-24-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3936-25-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3936-26-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3936-27-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3936-28-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/3936-29-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing