metamorpherrat | 8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdc

General

Target

8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
Size

78KB
MD5

7ecd8605e046c54c694e9dc12b58c0c0
SHA1

84742e2d97d4ced9ce07722a3eee6ca084204a59
SHA256

8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdc
SHA512

e5880f0b791164a7be15fa7c9529b0848b187618b36ad7aabc19dc4ba593a0015622533a8464a841a6c840f7c69236a87f01b1e7e85cc63f329e1b965adecb86
SSDEEP

1536:D4V58EpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6T9/S1YQ:D4V586JywQjDgTLopLwdCFJzg9/G

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	tmpB4AA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB4AA.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 3956	2596	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	82
PID 2596 wrote to memory of 3956	2596	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	82
PID 2596 wrote to memory of 3956	2596	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	82
PID 3956 wrote to memory of 3740	3956	vbc.exe	84
PID 3956 wrote to memory of 3740	3956	vbc.exe	84
PID 3956 wrote to memory of 3740	3956	vbc.exe	84
PID 2596 wrote to memory of 4272	2596	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	85
PID 2596 wrote to memory of 4272	2596	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	85
PID 2596 wrote to memory of 4272	2596	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	85

C:\Users\Admin\AppData\Local\Temp\8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
"C:\Users\Admin\AppData\Local\Temp\8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6rqv1x8g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB70B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C50DCF33C4B4BC7B035541B55A7DEF7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3740
- C:\Users\Admin\AppData\Local\Temp\tmpB4AA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB4AA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6rqv1x8g.0.vb

Filesize
14KB

MD5
d024c02411ccfc6d4e55a241468dbcf0

SHA1
d22f66902d656597e0728b34501ee1723d9f11e2

SHA256
66c2065a83018c9abaa45ce012d3a4124fb1241bc58920018ccdc77c0b2ddcf0

SHA512
0f91787543853b7eb52e1c6aab6d197fd44ad3849570da487212863c47befd959a24d223eb1f2c60afccad0a5b8edfb4fd805a2faaa3b79d0ce68852e641c577

Download Submit
C:\Users\Admin\AppData\Local\Temp\6rqv1x8g.cmdline

Filesize
266B

MD5
2d91edae7fd1228436cd0af3b7afa38d

SHA1
b7abe85f0eac9def6dfbb5f97bc6fa9d30bae318

SHA256
6d00901d1b5f26a1b55d1dba4a6cd2a659163f550d27ace11fdd9952262429c7

SHA512
83884eee0bac6537ac8b0a9ba6b24957b75066550bf806d5753bc33a8e3957c6cd0e9d486a64234701f1c184d81234a7b019f95fb1e20f59d60b748085dda9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB70B.tmp

Filesize
1KB

MD5
34e10b44664aaee2392cc824bb020656

SHA1
446955bca252a396a41b992247920ce5923db7a8

SHA256
4195cc918ff205fadc2a60dad3caaf4dff110c09f5ea39c45f2ce89877d6284c

SHA512
f86162d8eb28852d635ea39e5a415d334256ec06fe98ec32e8713f757b5091ed37164737972088075e1bbfad725adc10a6b78ee09c3cf88ab1197228efd17e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB4AA.tmp.exe

Filesize
78KB

MD5
4dc4a44e56836bb9414fb2b44126b18d

SHA1
faaced7ecd69a9490278c802bb62e6cf04b7de24

SHA256
97794a3efc98335734f6c49abeb259a253f24822e9c82e0d795b5abac5997ca0

SHA512
3f111187815cadf35b9e10522c6cb2757732ae16a2ed0d27eddb64f48f8ade45784527789d4d780864c7731ac132605ff1598dd03cbc44be87a6e417f70ef8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9C50DCF33C4B4BC7B035541B55A7DEF7.TMP

Filesize
660B

MD5
57451314de6ed070436941776ff146d8

SHA1
4d7cb1a251386517b1573652b448407274a2852d

SHA256
fcb00a83c89c5f7d58e16d6cd4f04d4179bdf4d2358276794405f17aaa6a07c6

SHA512
5c762c141efe3ceb8932ef779a583106dec2fbaf5eaaaabe02ae4b5b16ca187ad24042189852afbf90a3fc82ef77fc6d9ae3fc944114613c837e65be99ce35bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2596-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-22-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/2596-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3956-18-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3956-9-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4272-23-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4272-24-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4272-25-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4272-26-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4272-27-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4272-28-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing