metamorpherrat | 68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603

General

Target

68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
Size

78KB
MD5

81df97a54b8c4fa3dc0bf640a319dd29
SHA1

340a4a7416713b287abaddce099f8d6b02657650
SHA256

68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603
SHA512

63addd28010f6adcfbaa9cbcd62f75a9452a7514697b8053c6edea4466e73b6342ce49b407235034521daeb594456c607de827ff146a271e199e1f8c4fcb7663
SSDEEP

1536:ZRWtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtMI9/WR1Ch:ZRWtHFoI3DJywQjDgTLopLwdCFJzMI9h

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe

Executes dropped EXE 1 IoCs

pid	Process
3328	tmpB47B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB47B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
Token: SeDebugPrivilege	3328	tmpB47B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2348	3016	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	83
PID 3016 wrote to memory of 2348	3016	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	83
PID 3016 wrote to memory of 2348	3016	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	83
PID 2348 wrote to memory of 956	2348	vbc.exe	85
PID 2348 wrote to memory of 956	2348	vbc.exe	85
PID 2348 wrote to memory of 956	2348	vbc.exe	85
PID 3016 wrote to memory of 3328	3016	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	86
PID 3016 wrote to memory of 3328	3016	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	86
PID 3016 wrote to memory of 3328	3016	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	86

C:\Users\Admin\AppData\Local\Temp\68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
"C:\Users\Admin\AppData\Local\Temp\68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ilhiurk5.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8F48BB6E1D441A880814598DF1A233B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
- C:\Users\Admin\AppData\Local\Temp\tmpB47B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB47B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp

Filesize
1KB

MD5
389fb6e591b37a755a2ef162be8f4aee

SHA1
45441947f141882d9d58505c31ea7eba3d6adba2

SHA256
782a2805d9c79cdc536e89c8eed9bdda81ce18a469e582894cecbb4d88b32231

SHA512
767612423e43e01f82039ca5bd4940ae63afa41dd5bcd9090c0ba66b35366cdfe4ecf457a2e2e04e29ac2697ce08adb3d40b65d013bcb84edb2f260296f05f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilhiurk5.0.vb

Filesize
15KB

MD5
de2b55af685071c0fc545e791d06b07a

SHA1
1e38c175ccad3b37f9878f67b1aa66b2f7fedb55

SHA256
aaa18972e02da724a30cf6cc84dff7ff7f2ff8f76d7d2c7797a402ea9e34ee5b

SHA512
2e009cc71c1e5c2250843dfa6b1849e513ee5bcdaf9ae828b18d162315ab975959a17220a26742040263f29c2a1d7addffbb99890307362c9afb3d3f55a46079

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilhiurk5.cmdline

Filesize
266B

MD5
90a58a6380fd2e5aa87f999df00a5719

SHA1
7ecfecef6eba6e36c62df77dcf6b9763b25e4d1a

SHA256
db9cc8bd8b51fb0f8f186928ec5e0fa20c28e5b358140b975095c77d304ac66d

SHA512
fc3c7b64aecbfe9cdef94a7400f00d982faeb26e4e26efef5297ab7b49897c1abd28f36b77c1dbeba7f37fd5b5208fe4f41191c8cf04c24c15660c5d6c0489d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB47B.tmp.exe

Filesize
78KB

MD5
1c116e62e7e025357e8bfcd94ea96040

SHA1
5fe17f60a30010fa0b925d0bd2ce0ace379f4a4e

SHA256
5c4e3e0a248d8ffeae21c2c1bd7ee47c9784cb874504979bffefd8495bb4fcf6

SHA512
75e54afaef53f325bfb7e5c3481b216855c8ea7e860ff1f1714ae10cdf50a4f3dd1502cd3eae7b26e09e12bafa79a324c241f2ace6f4ae93e3734fb3bab5a275

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF8F48BB6E1D441A880814598DF1A233B.TMP

Filesize
660B

MD5
b39dd30198e28f06178a28990642b748

SHA1
f87b3a0a409b7c94320287a6c25dcc9262ad6a7c

SHA256
58d103ccda5aa6919db002b9754cc1c08cc209b0e02af5d10b7c776dc41f8ea0

SHA512
64cfaae081ffd5263267806bed6c30fad7169bf1ba843a4354f1e15402e922d20ff928b50e0e19109f9152d3e0e7e9c16f089029a75cc56b43c6d9a581b219fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2348-9-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2348-18-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3016-0-0x00000000749B2000-0x00000000749B3000-memory.dmp

Filesize
4KB

Download
memory/3016-2-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3016-1-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3016-22-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3328-23-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3328-24-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3328-25-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3328-26-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3328-27-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3328-28-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3328-29-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing