metamorpherrat | 12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f

General

Target

12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
Size

78KB
MD5

d4e4200b05c2554426faa4b79fb18de4
SHA1

819a07e23eec45f244cfc87fea29a76363376e4b
SHA256

12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f
SHA512

88738fc9124540b11858f06229b005275fd90430387c952e6afdeb1b81e0cfce3ed758b8ce58f3984a61e4b9b1c724d00abca561bbeb017700517886fe11ec19
SSDEEP

1536:URWtHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLk9/71Bm:URWtHYI3DJywQjDgTLopLwdCFJzLk9/a

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe

Deletes itself 1 IoCs

pid	Process
2816	tmpA354.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	tmpA354.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA354.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
Token: SeDebugPrivilege	2816	tmpA354.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2444	3652	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	82
PID 3652 wrote to memory of 2444	3652	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	82
PID 3652 wrote to memory of 2444	3652	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	82
PID 2444 wrote to memory of 4192	2444	vbc.exe	84
PID 2444 wrote to memory of 4192	2444	vbc.exe	84
PID 2444 wrote to memory of 4192	2444	vbc.exe	84
PID 3652 wrote to memory of 2816	3652	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	85
PID 3652 wrote to memory of 2816	3652	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	85
PID 3652 wrote to memory of 2816	3652	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	85

C:\Users\Admin\AppData\Local\Temp\12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
"C:\Users\Admin\AppData\Local\Temp\12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bumelbvi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA45E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D896036FFE4BAA84AAFBF6A9B3318D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4192
- C:\Users\Admin\AppData\Local\Temp\tmpA354.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA354.tmp.exe" C:\Users\Admin\AppData\Local\Temp\12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA45E.tmp

Filesize
1KB

MD5
1cfd08a19100c909c3a95708fe18fe61

SHA1
6d86f41833a5f5bd6f199fceedf5515f34191584

SHA256
351b7544283da10b0b8ef6c3c436e2b8f162c287ad60d6fd8174accdde1ca1f8

SHA512
7e913a55d283d4c389b8af73ba1d5b90e1491e0a28903eba53c15ae10192ceeaeceff5187dc14c2d8a60aab41a9f4658d54bd823ad61601f9e9a122f19462e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bumelbvi.0.vb

Filesize
15KB

MD5
58dddaa3a1cfe8a59147f2af62754253

SHA1
14400bac529ee4109248c25a2ce4391a5a5c3488

SHA256
026fd9dbf1dc98bc5c0ae9cc01a2b96e1b60fb6a3433b37dd176bbb49d4d2f86

SHA512
8314c8fac7cd8ed34567e393d4d8ed4a3ff724454d8541e4e3ad115f040036b9a81188b4065766e88f24d6b4d5463880c60868870421d349658b445525ddba5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bumelbvi.cmdline

Filesize
266B

MD5
f78d36d4ea0ae7f4964a4b6d74fd238f

SHA1
7cba23e630fd47ca6dbf465020bf47e5a0e738a3

SHA256
3d30f89cd4a22e368d7f620a381c39468be1799215c27cb94900d68316f5e176

SHA512
f9025a946a76ea4c5bacef3f3749fa251a15ff3c16f97a82f5c673a7b17d9ce81e07b8463df947ffda05192c36a83084768cec88d56980408bcf9d91056facde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA354.tmp.exe

Filesize
78KB

MD5
c4348195c7bd06efd6ecae8afc3a6727

SHA1
f3decabbe158ff6bea5bc732312fbd76bfbd73cd

SHA256
2fda649170090a1fd1db5e832a3395707a133ae4e454f7f8a1cbd39af97b916d

SHA512
389fe1271142f9751e2e664c09763b146be0f64e7c45e1d4878aa76d8ffc4c5473867c7d4f68a4c56205d48e34c1772fe9c8814832ecba7a365c45807288a338

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5D896036FFE4BAA84AAFBF6A9B3318D.TMP

Filesize
660B

MD5
f1e84be6f421107c84f20be791d1bdc7

SHA1
bdbba2c608c78c9e48d755e8ea07e2236866e164

SHA256
1db04abbecfdc9d423b4e1e105fb36d9c7fda519f1c1dd0316874aa3b94c31e4

SHA512
bcb6c51d99e3f44430c340c6104bd747e6782ebc25dbc92f1378150ea2cc3691cde4e1880a52931eefe4d1bf4b58329661f1d77b5f1e5fcf42f4487322d13abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2444-18-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2444-9-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2816-23-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2816-29-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2816-24-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2816-25-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2816-26-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2816-27-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2816-28-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3652-22-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3652-0-0x0000000074EC2000-0x0000000074EC3000-memory.dmp

Filesize
4KB

Download
memory/3652-2-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3652-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing