metamorpherrat | 9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7

General

Target

9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Size

78KB
MD5

26bc9c6cfdc28d2c53a97cb4e78f8140
SHA1

e2f51aea0e5f8f4802647b4e74871ce66f51dfdf
SHA256

9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7
SHA512

60cd1513cb80b56513b150fcaa757e39670fb1f8ef97f6da9abc50b40b19d19ba34ac589ffacf97fded2afd04f1a4fc156d743fe51753d359222daf7a7c75343
SSDEEP

1536:RsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtj9/f1GCm:RsH/3DJywQjDgTLopLwdCFJzj9/Tm

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe

Executes dropped EXE 1 IoCs

pid	Process
1088	tmp8F20.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8F20.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4460	4440	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	83
PID 4440 wrote to memory of 4460	4440	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	83
PID 4440 wrote to memory of 4460	4440	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	83
PID 4460 wrote to memory of 1636	4460	vbc.exe	85
PID 4460 wrote to memory of 1636	4460	vbc.exe	85
PID 4460 wrote to memory of 1636	4460	vbc.exe	85
PID 4440 wrote to memory of 1088	4440	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	86
PID 4440 wrote to memory of 1088	4440	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	86
PID 4440 wrote to memory of 1088	4440	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	86

C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
"C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xx4xqalt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1BCA887FE6724413A8661F322DEB701A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- C:\Users\Admin\AppData\Local\Temp\tmp8F20.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8F20.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8FDC.tmp

Filesize
1KB

MD5
6ff09524cb9bb0ea611ec99deecc2cd9

SHA1
ff3dcb64522d69a64e4ab63749b21fd0d70df08d

SHA256
07bd47e7c2b66fabf7436bc35ce1f516157f9209a172430d0180cbfbc85dabe8

SHA512
7605977f993319b3b1e2feb5deaf9a7249880d79c007cbb3e85cdd52639c51aeb02359322b6e35d5af857479f446f8c492ec4c051b28ef629426729b6123018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F20.tmp.exe

Filesize
78KB

MD5
432ec1b54ccc0fc42ca94846ae3b120b

SHA1
774586e0e1afc25cfea05e7570bbab77154bb6c9

SHA256
de97e6ff4f63a90ada98b3fa4079bc085ebc28618fcbc8fa3f0ab701599defd6

SHA512
93ff91295a7d6818b9161e700b26c44bb2d949f64eb9749d7f6645c30cf6c5e9f6b298456a7c81cef46d22f981c2c653f00629c4fe12dd11ef1c6fb1d98cefa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1BCA887FE6724413A8661F322DEB701A.TMP

Filesize
660B

MD5
59f662a084665bc5bfbeb670e58c8d36

SHA1
d90107adba772fb1a232524837bb0f3b38f1a888

SHA256
3b430345c267d320ea1323edaa629100154abd0ce0461f4ce8253b574a3d92bb

SHA512
34933e59d80570176e0f81025dca093225e6c764b55fe13ac6e25bea914b3b5637b84b7de29ce8356065d885767db83b562b45e8259c8cf2177c2d1798b40e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx4xqalt.0.vb

Filesize
15KB

MD5
d0f272034c35e558d31d2980f5c8cc38

SHA1
5b5c94a0b16a0dd08e2e9dea45341289bb65dd2b

SHA256
ed566fd25f2a95c81b90d9deea95bc4aca0507cfe8f9f7229e4cc47d7c16caca

SHA512
2078799bd9215b35e6609f1939a2b2980633c0bd6f24003b51ccda264d3936a03b87e38cd136e1c0a6b92c694dca0504f472dd29b6bdea48e34788678066fcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx4xqalt.cmdline

Filesize
266B

MD5
ac2a9c123f76de1d15dbff66e2888840

SHA1
6e3b25310bef60b963d1fd6349765531412d422b

SHA256
6cca1ea852f7922d2841514483b4be8beb5fe444ffa782cea012d64d725d2f0b

SHA512
5497b4638fd2f18a1501b35d9ef6a029aee14e84ff842fe202d81b825df32042a3ab6c9c995144a901fb1e0d06a030db22b53161e581f5a18ba2f4f748b9fec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1088-23-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1088-27-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1088-26-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1088-25-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/1088-24-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-22-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/4440-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4460-18-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4460-8-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing