metamorpherrat | 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d

General

Target

8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
Size

78KB
MD5

f13f1d01a28fbee71a5c6a16f4122970
SHA1

606f92dfd349b012ec54f9912192ee6d4942c857
SHA256

8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d
SHA512

1fc59f8232612d5d3810aab9f0f259ac4de5ee0e72ce1e8b8a27f8ab4da9dae98e69d7fce3baf13a6dee65f3513a20ebcb1882581fab96224d10f5b72fed00e9
SSDEEP

1536:l+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67Y9/PC1aw8:I5jS7JywQjDgTLopLwdCFJzDY9/E8

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe

Executes dropped EXE 1 IoCs

pid	Process
4812	tmp6551.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6551.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4980	404	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	84
PID 404 wrote to memory of 4980	404	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	84
PID 404 wrote to memory of 4980	404	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	84
PID 4980 wrote to memory of 4092	4980	vbc.exe	86
PID 4980 wrote to memory of 4092	4980	vbc.exe	86
PID 4980 wrote to memory of 4092	4980	vbc.exe	86
PID 404 wrote to memory of 4812	404	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	87
PID 404 wrote to memory of 4812	404	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	87
PID 404 wrote to memory of 4812	404	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	87

C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
"C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zbvk2e5p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES665B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD47599C3AEA8454DAEFCCD866D9A2EF5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\tmp6551.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6551.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES665B.tmp

Filesize
1KB

MD5
6b4cbe85c1c1e601650e2fdbc8a4f429

SHA1
072fdcb36e6877bdf2eb57cf919650490b065786

SHA256
1eaaf194d1d6b2bd47a05a32e4cacd051a020db3377b9cb163172cf213e8d4b1

SHA512
f0b950662ddb7fcb52bad77c0de767523891171746db3406ca9e47d6133ddce04e9cecae11217125b08f2a596d403bccfad69304dd599c3b2a79ab9becda78bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6551.tmp.exe

Filesize
78KB

MD5
30b34e090664883be80623d7f7a91e42

SHA1
dd5227234745ceb0640b02ccb216902b20f85fcf

SHA256
10783c337f36663b295398656d935a08c00b019b855ffa084c19ccfa4a3e7c89

SHA512
9f07e1be21b3d564398e3df34321aeeb0ecc6d088abbf581f6ce7193503dadc6e237c2a707b1b159c12f4a9c7ba0992bd51f9d3de7e0cb4e5d1e4f184787a7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD47599C3AEA8454DAEFCCD866D9A2EF5.TMP

Filesize
660B

MD5
8f0f582735b2806bb163ae9259d4ae19

SHA1
75da631d9b6f59f80f18a87be491286ec4585e5e

SHA256
55bf48a93173d9bb3f5c77621761408792517a3d6e29fa7814870bac5ceb4266

SHA512
5f00a839c48b0889d44afcd82b0bf73f26e91d4ea22da567063073ee8c822d3e7baef6e01a9290a1938a47d972de4aa52928b30d43e1fa69786c5291c015877e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbvk2e5p.0.vb

Filesize
14KB

MD5
cea026d32159e18bb81197c1edf49b00

SHA1
7688365b8d2900e020a221d9109e6a76dda84af6

SHA256
2380ea5e22234ab65c51184945278b1a37521d45c301d7aeaf7299f45e02c5b7

SHA512
bfc85d87be37da0fad44fcc8cf8abe4de40fc57847ceae0cfc50dc284f525453cf102aa87fb8d18398f89e86ad71ece6685951e584e7db6cd11880f5c7ae1d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbvk2e5p.cmdline

Filesize
266B

MD5
cd6d6cc0cee88a140c294b691d9036c1

SHA1
ad08b2ac310592b3817a25a763c8f49ba2fd4f75

SHA256
bc32c001e5420e8908d0bf45e3d76fb3900c47a771274fe50935c548be59efda

SHA512
fb87f1d294b5682c10113979347228be38f125cd59e64c9ef138219771861a55d091931548b0d74bb2839445fe554e2cb2c04c42d21f634cbc6a63a16fd9c8ea

Download Submit
memory/404-0-0x00000000745E2000-0x00000000745E3000-memory.dmp

Filesize
4KB

Download
memory/404-2-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/404-1-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/404-22-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4812-23-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4812-24-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4812-25-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4812-26-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4812-27-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4980-9-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4980-18-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing