metamorpherrat | 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee

General

Target

752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
Size

78KB
MD5

cb5bbd667e2c154fae05fd0ed65383d5
SHA1

dea41a84703c4cedf9ed7701beae4e10c7f20705
SHA256

752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee
SHA512

c5bd8555e26c4136fbaf2680ee3a2e8054b0f2c54b0fd027e5d6fb2cdcf559c0712bf3d8283368a70c37d1ed6214244eaf42dcec1794f3f24b9dff0721392660
SSDEEP

1536:D4V58EpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6T9/S1YQu:D4V586JywQjDgTLopLwdCFJzg9/Gu

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe

Executes dropped EXE 1 IoCs

pid	Process
1020	tmp735B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp735B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
Token: SeDebugPrivilege	1020	tmp735B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2116	2944	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	82
PID 2944 wrote to memory of 2116	2944	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	82
PID 2944 wrote to memory of 2116	2944	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	82
PID 2116 wrote to memory of 4164	2116	vbc.exe	84
PID 2116 wrote to memory of 4164	2116	vbc.exe	84
PID 2116 wrote to memory of 4164	2116	vbc.exe	84
PID 2944 wrote to memory of 1020	2944	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	85
PID 2944 wrote to memory of 1020	2944	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	85
PID 2944 wrote to memory of 1020	2944	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	85

C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
"C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bz2gc9ka.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7520.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6126FF9949A148A6924F3076BA61A2FC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4164
- C:\Users\Admin\AppData\Local\Temp\tmp735B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp735B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7520.tmp

Filesize
1KB

MD5
d1cb9c7421a98e1d20075b522a4618dc

SHA1
ab1a705f28bb2cef46008b837ca2723cf0c3bf2c

SHA256
0d30413def65ecc3ecfe9ffc48f426a6da32c663e2976b4fe4e5dc7b07a93e17

SHA512
8856f577e6994365c6f0358aace1bfc804b0295934543b5c61e2d4451b6a614512ab4680d2ed35ed255234fcf108ec742ea8dabb2fad9e9e55235cb7023fc41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bz2gc9ka.0.vb

Filesize
14KB

MD5
d1cbb318ca62dec4928b4d1e9893eb24

SHA1
6cb0301893f72fd1b56bb39218a8d54718faf420

SHA256
03591362fb7eab314640bb4d63c66557520814dab6216211c22d83705969a7ed

SHA512
dc664a4d46df2d413e05d7ba9aa9fc679cbf9f6c375e86352791387634ab2fc85ba267b87908f4a24c0556ff3d1021eeede3d11ae43530171fc929e9a4eb9de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bz2gc9ka.cmdline

Filesize
266B

MD5
d5f15d64c96cd7f02531e2c545f9c041

SHA1
072e6f1d9cb7fc996d778e482001299a1178b0a7

SHA256
cbe04c8cdacd92233387e6da3c3e8d0f1f7b74d6961e9af0927ff8b56642a0f4

SHA512
2991cbc0b1ff35acffd70ad5df1c2b8e7e4786f5707a4ff5f9003a8b3ddcfa8dc2fd94654e5c416801bf635f4c10cbb31db3f802fccc93198eb21a6227b1e4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp735B.tmp.exe

Filesize
78KB

MD5
f75851b152c57b93a1c4eac39fba154d

SHA1
494ec45cf6762d023caa9033b3efee2bf6c08533

SHA256
84e9803e9e9d11946ca9f8b9b2b38be2314bf5c12031c6e566f4ff480f8edc54

SHA512
febd4e5d813397419a0bc8cf1b386ea1f8985b0ca3b08a755bad7db84921207bc7f251a6e93d30f8329dcdf18d557cf8b888caf1058d9d04d23e9ad5511cb03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6126FF9949A148A6924F3076BA61A2FC.TMP

Filesize
660B

MD5
e1e1e2db219cc6235317ea3e749879b8

SHA1
5752ebd43e640c0dcf3af34f3fac7cb58b3d1fa6

SHA256
17f82337118430491dc3933863392e4812f43a8a54201258e2d6c4844774b489

SHA512
c92175ef1d32ff3f0742c3b99f0a57d94401eccde43910f4451c0835cb8b8a3ab86f723c9859e682c9bde86d95b10876de91835e59987797469f9b4324f21049

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1020-23-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1020-29-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1020-24-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1020-25-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1020-26-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1020-27-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/1020-28-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/2116-9-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/2116-18-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/2944-1-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/2944-22-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/2944-0-0x00000000747E2000-0x00000000747E3000-memory.dmp

Filesize
4KB

Download
memory/2944-2-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing