metamorpherrat | a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340

General

Target

a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe
Size

78KB
MD5

5235500e363d99a2357d42af891788e0
SHA1

b7530f2ae1ec9b8d1f46c4079465321b6b3f94b5
SHA256

a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340
SHA512

7dee4e60287e5518cdc5ca46cab80513579222f28f2a96d93e9fb7b1d9430b1af7cebade58d4e21ce87e986eea9f227c155e0f9af36d37148f5e713373a79e62
SSDEEP

1536:CsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtkB9//1CY:CsH/3DJywQjDgTLopLwdCFJzkB9/d

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe

Executes dropped EXE 1 IoCs

pid	Process
1368	tmpA7AA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA7AA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe
Token: SeDebugPrivilege	1368	tmpA7AA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4716	2212	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe	82
PID 2212 wrote to memory of 4716	2212	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe	82
PID 2212 wrote to memory of 4716	2212	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe	82
PID 4716 wrote to memory of 4392	4716	vbc.exe	84
PID 4716 wrote to memory of 4392	4716	vbc.exe	84
PID 4716 wrote to memory of 4392	4716	vbc.exe	84
PID 2212 wrote to memory of 1368	2212	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe	85
PID 2212 wrote to memory of 1368	2212	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe	85
PID 2212 wrote to memory of 1368	2212	a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe	85

C:\Users\Admin\AppData\Local\Temp\a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe
"C:\Users\Admin\AppData\Local\Temp\a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ydvdbex_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA96F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB44CE855D2984481A9403C92E21521B8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4392
- C:\Users\Admin\AppData\Local\Temp\tmpA7AA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA7AA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a8bd0acdb13aee54429dfd7d985d6738e9e93b7397e0a757f217c6a973388340N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA96F.tmp

Filesize
1KB

MD5
7dd42fe7168278d91c1f6794615efe6e

SHA1
40b321755f3289b1dea53a32299131aee5d41794

SHA256
3f14b8ab1f5daf0ab5eee64b57cb5a55a9cb7f2bdbc9f8a0257f125d03daeda2

SHA512
fb8557a484b642310164af3f8cf6abee43f11f641647868324ed53d3b0a4801d294496e94dbe71f18682ae6fe7d7af1ee99169b68e06a0a5438f065089f303d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7AA.tmp.exe

Filesize
78KB

MD5
37f34886dc9362740b91ba667284f110

SHA1
fa0dbbe69091eac00d05aeade8d74a8ce5af9acf

SHA256
c5eac0f62b732cea343e81e4a89db2431f0fef9a5c5c49671d1e54e00c1bbb55

SHA512
97afd55cf5983b4ec082e3bdfa85245063a043b8800951e53b03a3a89aa6749fa4d1884d76876e6549379da57cb47533aefdeb311db7ea153ef0cce72fecc905

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB44CE855D2984481A9403C92E21521B8.TMP

Filesize
660B

MD5
0a9e9eb5ca5c1212a8ab52942654524a

SHA1
a60f818c0576daa8b2e56d65e6b708b4f1a4cc63

SHA256
2a59532f7904e6056c3eba610bfb78d58bea1b5575d24d364b83e2d3231daf15

SHA512
fd72e007ebf8b1f257660f2c91d253eee9d4f5c4e2f58f8f9f88a1da5ec21f505c86da1e7b93bd4c2c71dfa2a44281f2807cc5ec564a51ea142f0510e99bfa99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydvdbex_.0.vb

Filesize
15KB

MD5
656d363cf600bc49fb0a1be16a424570

SHA1
0d875f08d09bf449e968e48082cdaa29b205ad3d

SHA256
20b9f6a8257df7513c117cc3b941496fe748088ddd4401d41195ade8fc19f003

SHA512
7c4b71eb0be51428376d6cb68c95f5507dc58c4024f8ab5e5a19c29673e3aaee3cdb6d5baca741d62e6355e7d0d38cf37c5c51882a8e428950f7723e1152681e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydvdbex_.cmdline

Filesize
266B

MD5
e494248e763c44bad8a1157d8ac66903

SHA1
f8ca4aa695c06da3ebe084aff05831e037e4f95c

SHA256
daaeaad0c5e7ac8eeacc9360466334280c00b91996e371cb14bfa37d7086e2a2

SHA512
fc037c034b36ae4aed6b146d45a9a09cf1b6259c58d34cd49a00bfff23f710e90de7f0b2c667363301c1d5b0f3afae17c1a94249cbad85293a91f5d3d2b58f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1368-24-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1368-23-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1368-25-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1368-26-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1368-27-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1368-28-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2212-2-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2212-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2212-22-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2212-0-0x0000000074D22000-0x0000000074D23000-memory.dmp

Filesize
4KB

Download
memory/4716-8-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4716-18-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing