metamorpherrat | 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17

General

Target

1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Size

78KB
MD5

ae002c0f52fbeac0cb03c901b537c38b
SHA1

d2f3f8527b33e67a8079b2fdce154eff5e883ba7
SHA256

1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17
SHA512

e0cc49dcd2e9870b9caaa638809f1e42fc0a04cd24e4e150f04daf396f92a9a375dda758e009c8991f9d8e30d27e43f5c1a5cd7fd85d51faddb2980c65b7782e
SSDEEP

1536:zCHY6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtS9/A1dJ:zCHYOIhJywQj2TLo4UJuXHhS9/+

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe

Executes dropped EXE 1 IoCs

pid	Process
564	tmpB006.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB006.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Token: SeDebugPrivilege	564	tmpB006.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1624	4780	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	84
PID 4780 wrote to memory of 1624	4780	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	84
PID 4780 wrote to memory of 1624	4780	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	84
PID 1624 wrote to memory of 3520	1624	vbc.exe	86
PID 1624 wrote to memory of 3520	1624	vbc.exe	86
PID 1624 wrote to memory of 3520	1624	vbc.exe	86
PID 4780 wrote to memory of 564	4780	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	87
PID 4780 wrote to memory of 564	4780	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	87
PID 4780 wrote to memory of 564	4780	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	87

C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
"C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krepmyez.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40446A4EFCF14266963AABC125F6C68.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
- C:\Users\Admin\AppData\Local\Temp\tmpB006.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB006.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0B2.tmp

Filesize
1KB

MD5
aa5d7d3d150d8bab5522ee08abfc6030

SHA1
622c536b1bdb271921956f893b7e774fe7aeb9b3

SHA256
6ffe5d225e27815a93af6775532ff2fb341715dc3eede93c5c04d522ca120397

SHA512
1b8409b2f8dc5542a1b43ae1c6bfa9d05a9d2da164adaa7512709faf4d30712bfe9c43a6a4612f0d16fdb883c8b668ca096910de54602102d735390969b4b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\krepmyez.0.vb

Filesize
15KB

MD5
e7530c8cde1f2c93e789c21a030ac50d

SHA1
67aa20ccfb5c1122183047fd580a95f91b571dae

SHA256
8e758b25761dfb99c2745726521da95ff606f70880c52d2591f74984b14093e5

SHA512
c2fc7d9e9f796f066b1ac4bc51b40d6a80ba72f27829a531e2c17aa7453f2a7919eeb322706713e1d8fdf6c8a5f9ea0b7dd11b16729df02cda6ae3ef86cefea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\krepmyez.cmdline

Filesize
266B

MD5
9f440254c5dd572d1fcc80589b510b77

SHA1
ee1f7c0433725d8d59edd3c270c22b55dd8dfbab

SHA256
950b539e942133045b4f243422aa406b2bbb085906c8e05bf1f65f04db903a96

SHA512
401b0eeeb96de1c04b946b40be7c1ffb1b9628587b1245159eb0dced66665a0e4abb78de4e3feb7bae63ab2e6c560b212c2f4de20fc7182c7a6235911debf456

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB006.tmp.exe

Filesize
78KB

MD5
9ac74b0bfe6e9215906ec2401375fc05

SHA1
cb4fbad7389c60cea4619a42f4fafe94152889c2

SHA256
2024947172213b37fe5b160ab8fada11a0b17fa78d154d4a9c34ee318fcfec6a

SHA512
442ea126958a364da4d0316bd43262d4fe96355dc9ce27ded287b77922870984cd521948acf09e0db2bc52ae83cedbc5d2bc21f6467768447747f2db84e45e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc40446A4EFCF14266963AABC125F6C68.TMP

Filesize
660B

MD5
1da5ee15126506d07392b6dd410716ec

SHA1
364f13e7dc810c527131977ac00779397fdd2703

SHA256
622b96fefdcbe58d5b512835b8c58f24e19450b198ff55b7b3479243b2e0d46a

SHA512
bf5db7eea986fc4844cb9e2fda9940e58a8bac4c65e2bf2c693f341ce1e85f2cbd98768c44f35b52964c620f7e59419825c0c9be33e22eda29f57fcab17efa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/564-24-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/564-23-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/564-25-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/564-26-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/564-27-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1624-8-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1624-18-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4780-2-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4780-1-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4780-0-0x0000000074AB2000-0x0000000074AB3000-memory.dmp

Filesize
4KB

Download
memory/4780-22-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing