metamorpherrat | 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d

General

Target

8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
Size

78KB
MD5

f13f1d01a28fbee71a5c6a16f4122970
SHA1

606f92dfd349b012ec54f9912192ee6d4942c857
SHA256

8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d
SHA512

1fc59f8232612d5d3810aab9f0f259ac4de5ee0e72ce1e8b8a27f8ab4da9dae98e69d7fce3baf13a6dee65f3513a20ebcb1882581fab96224d10f5b72fed00e9
SSDEEP

1536:l+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67Y9/PC1aw8:I5jS7JywQjDgTLopLwdCFJzDY9/E8

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe

Deletes itself 1 IoCs

pid	Process
2612	tmp9E24.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	tmp9E24.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E24.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 3624	1960	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	82
PID 1960 wrote to memory of 3624	1960	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	82
PID 1960 wrote to memory of 3624	1960	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	82
PID 3624 wrote to memory of 4104	3624	vbc.exe	84
PID 3624 wrote to memory of 4104	3624	vbc.exe	84
PID 3624 wrote to memory of 4104	3624	vbc.exe	84
PID 1960 wrote to memory of 2612	1960	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	85
PID 1960 wrote to memory of 2612	1960	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	85
PID 1960 wrote to memory of 2612	1960	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	85

C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
"C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vwtrjntf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93C41DA3F134D50A4D8F433ECED3D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4104
- C:\Users\Admin\AppData\Local\Temp\tmp9E24.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9E24.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9F1E.tmp

Filesize
1KB

MD5
0f112d532f830c18ba27abecd2c71ebd

SHA1
65041c195d52bb7021c27ab837d788e9881c6a84

SHA256
fbefea58660466217e8cdbb13baead0777ca848d743c0783f887c7fc7d7bbded

SHA512
eb8ee065abfbfe7adbb2d3906c68010026059db31ae27fc6e2855cff7efef365c0657b6ea279d40f04b660cc0f304846859744f326c496641b052c52c273aaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E24.tmp.exe

Filesize
78KB

MD5
b9cded1edea987c91c66b004b54c2f30

SHA1
6606d2c46b0ef0bff3c7c59c24b43bc9b107eedd

SHA256
5948b98af011dc6d0e88f66e92bfc0d2f46098404ea620028fbe950f081314e3

SHA512
eae6c9e07161da79a3a5bd2bf010b8448c832c2290c185813a498e0dc3dc3fd309642c12e42c2e8659e86f3b23f303be51428b2be9af128e2583a966c6a6c11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc93C41DA3F134D50A4D8F433ECED3D.TMP

Filesize
660B

MD5
7686eb7d8ccd3222b3b41e6d6ece6614

SHA1
8e5c95f1977bff6adc17b02e1480f48211ef56b5

SHA256
56cc46ea62059aff35ad9b9da4e6c035c328fd9a8af5da7b1e4de7a28bf68c73

SHA512
17555b4760fa9fc4c77b90effc51fac8346c0ca16d7ccbb2e929fe82270923595604f489d5b985fc6330793d8823b6632bc40df0167dfdf93556f4e26969d8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwtrjntf.0.vb

Filesize
14KB

MD5
98b0aafcf459aa6401b89173fef5b998

SHA1
e1732488791134768e32df4139db40af1e1f9785

SHA256
cd65f2fc9e3d314f0470adf00e60e8b3c8e2a202677d9d7bc796e5eeac6e4efb

SHA512
9adc0c775b75181e91a4278ce5c59ec7e5c442a99a42e6995dce0be4f5381b1bf8945589110d37517d6bda0bda422cb16132febe8e35ff0bb40968473e8773c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwtrjntf.cmdline

Filesize
266B

MD5
40b20b3d24b44c1a6c9a58793f70373c

SHA1
d1744255bb408364239048a56da813e23bf71f2d

SHA256
9d16be924c99b6baf7d3c4918454273ba99a16963a3927afd11c9f0002f9d23f

SHA512
163d654fe3421dd2c5c49c6e0f9cd63b930e998bd73eeb34a8983cb548665ca75806f0f79a6adabadac388a1f8b69513367e3ff6bcdc683559b8f50582968a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1960-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1960-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1960-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/1960-22-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2612-25-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2612-24-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2612-23-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2612-26-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2612-27-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2612-28-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/3624-18-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/3624-8-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing