metamorpherrat | 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3

General

Target

8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
Size

78KB
MD5

0292fd03e9b712d2a5612391e0126ba0
SHA1

5a45307ea5bb64ddc49457e51a8732bb786d110c
SHA256

8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3
SHA512

9f375620cccda4163b4c1e4d01f91a7ea29667b5a58a0cb230cbcb3f32e888015fcba5b66be842cd51ea51edd6d4b07beffa3304fa19914272d96e8f95925a41
SSDEEP

1536:NStHF3uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtL19/uw1Hz:NStHFP3DJywQjDgTLopLwdCFJzL19/h

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe

Executes dropped EXE 1 IoCs

pid	Process
3528	tmpA22B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA22B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
Token: SeDebugPrivilege	3528	tmpA22B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 1332	436	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe	83
PID 436 wrote to memory of 1332	436	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe	83
PID 436 wrote to memory of 1332	436	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe	83
PID 1332 wrote to memory of 4804	1332	vbc.exe	85
PID 1332 wrote to memory of 4804	1332	vbc.exe	85
PID 1332 wrote to memory of 4804	1332	vbc.exe	85
PID 436 wrote to memory of 3528	436	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe	86
PID 436 wrote to memory of 3528	436	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe	86
PID 436 wrote to memory of 3528	436	8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe	86

C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
"C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hayjjwdb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc344DE80AC4434948A89ED6EEF5442C13.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4804
- C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA3C2.tmp

Filesize
1KB

MD5
9f284eb8cecc9e752a67e3bb81d9f05e

SHA1
7e3382bfa19b5d03ef7539a32fe68984cba3e265

SHA256
34845e746d21317b5a3fda8e16756ab79a4138d803594cb9ba3d215b66de4281

SHA512
f79396671c3a135b5247247889656e227f22ec1ac2fce1ca6f134536f035e1eb6d92e28bcd27d7ca3109e65c194a37132e34035e420e7d6b89b6ccee7391ef44

Download Submit
C:\Users\Admin\AppData\Local\Temp\hayjjwdb.0.vb

Filesize
15KB

MD5
9010ce3a5db23fe3911c6a2dc8206647

SHA1
a1c4cf9180bd01ff783fb7815e395655a9fc38ae

SHA256
bd7a2a38e7121ecbd1639a28a21ac677b07b9b920ac98b38a3713d8caaac9c5a

SHA512
197991a439f17c64af0dddba763838d2b80ed666c3c16a797a43cd59288c9c54731dff4e0b10a9202afa2f37d14d77bf6fc15d10077217ee691b2f25381b8c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\hayjjwdb.cmdline

Filesize
266B

MD5
9beca0108c46788cd6f43ae5df41d448

SHA1
1ba97713369309cab4aa20ccc4e69686ad396951

SHA256
60e77c397b6f25e50c2f288503b3216fb5ad2a8969d53acbfbbb5d648ee887ac

SHA512
29ae23a3cd3bbed614ee3ee8f1a87bc0a9a308931fde99b9003590a3ab21313e04ec70e761a898c443e4e260a21576f2368e049e6cc9f31a85ceaf14a791249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp.exe

Filesize
78KB

MD5
509c540ba39c89adaae640d736fd6890

SHA1
761c13088241eb596f67894860ab9ce815097b31

SHA256
77cfbac394d56076f3a22956c2ae7eb75d3d76a2f6cd915a2ded23d0f41ca561

SHA512
5a50218218e87a26fe61ee390e27fa084c98ab971a4b54a0d6451798d34e562d5dd5aded4389a24d3e810136a9ceab328c302cf3813bf2b7e674ff7a9cc603f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc344DE80AC4434948A89ED6EEF5442C13.TMP

Filesize
660B

MD5
ded4e930995e6a7fa1d5376523a700eb

SHA1
27f05666e64dfdfea6abeb8c8e2362c531762354

SHA256
ff51387b071f5ed5ca7d2c2be7d5e8c826d02e45392529f401f053a1ab5e9811

SHA512
786a84a756d53ca4dd4fce4c06c6d270b00804e61f508c61ad97933316a44534516bf2fc1af3a6e9abb7287e2d47f1b899dc2f74671003c6db2e3e1cdcaa0ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/436-2-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/436-1-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/436-0-0x0000000074F12000-0x0000000074F13000-memory.dmp

Filesize
4KB

Download
memory/436-22-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1332-9-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/1332-18-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-23-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-24-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-25-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-26-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-27-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3528-28-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing