metamorpherrat | 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087

General

Target

6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe
Size

78KB
MD5

a76234d3445d925d6ae88cb977c99200
SHA1

d301938d7c541e889ce36940a16736448933c152
SHA256

6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087
SHA512

d45722c4874d07bc38e536c0c97c5c5db78343c5867bbed892adc0aabf632242946121dfe037ea4900b2464839e7e9003a806fa4daf14de221242d38682604d2
SSDEEP

1536:lsHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtkb9/51nh0:lsHFoI3DJywQjDgTLopLwdCFJzkb9/S

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2580	tmp5580.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe
2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5580.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2712	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe	30
PID 2708 wrote to memory of 2712	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe	30
PID 2708 wrote to memory of 2712	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe	30
PID 2708 wrote to memory of 2712	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe	30
PID 2712 wrote to memory of 2312	2712	vbc.exe	32
PID 2712 wrote to memory of 2312	2712	vbc.exe	32
PID 2712 wrote to memory of 2312	2712	vbc.exe	32
PID 2712 wrote to memory of 2312	2712	vbc.exe	32
PID 2708 wrote to memory of 2580	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe	33
PID 2708 wrote to memory of 2580	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe	33
PID 2708 wrote to memory of 2580	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe	33
PID 2708 wrote to memory of 2580	2708	6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe	33

C:\Users\Admin\AppData\Local\Temp\6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe
"C:\Users\Admin\AppData\Local\Temp\6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z1r2kvtf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES563C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc563B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- C:\Users\Admin\AppData\Local\Temp\tmp5580.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5580.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES563C.tmp

Filesize
1KB

MD5
7669c2421132701b97bf78c4f9ab203e

SHA1
b55ef32c9639083490943f0ebd3b357afd3cb369

SHA256
cbc6c2f5a5ec47d501be4c455acd99f1f0869db3d71ff10d6caabfbbfcc78565

SHA512
c90f7a67eabf91cac5e6467c087b551ea1063870996d8bbacaf976f04ac43e6bfd75166e4a730fee49e451c8c797fe99f61a4545a494644c16249561da7ca058

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5580.tmp.exe

Filesize
78KB

MD5
74e5e9638d9edd2206dace3dbd8699da

SHA1
0b1c9e1e8d56e7c074c88b080b84a0bcd7b4bbc1

SHA256
1721188c51cce98c0503e5ced8ebadce522facc1247022cd760ebe2485b48015

SHA512
86f15d13338b64f897d7302b85b7fb6450d8820f6efe07c4880df6124c8b61bbe7d8f0177a69ebcddc53ad4c68792f6c80ae49caacc74b677af456e97c03393c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc563B.tmp

Filesize
660B

MD5
3fabd16982dce6b4e0dc24c601efee32

SHA1
f6c562b2c9d6417410bc1d3f3dd444e3f71797be

SHA256
5dc294f62fdc570315063af2e1fd7326ddea2ae012c1e908631f731a0dd182c8

SHA512
7eb97cd75a7dda3bfbfe360367f3fe126909db47fd971875523a4db274f70ac802a9ae84d7b0e4ff7831fd8384dadb514b94d5be989e0d2b84e8abe703a46047

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1r2kvtf.0.vb

Filesize
15KB

MD5
5baf813f87098e389a251ff5963ccd8b

SHA1
cd592f764abe206c427191aaa138591d92922557

SHA256
b352f403b4f48c0520c7170be491f538a65868468fa395947f288deefca46835

SHA512
9080b588a129ab7034944170131ad8cb8914541f96eefeb0288d4a689a92a98753ecd2695b15bdb2a97c383efa34d10b5d60704d38da784ef7797f71db0d7331

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1r2kvtf.cmdline

Filesize
266B

MD5
947899abe9b039edea6af6e4f4543f6c

SHA1
0a59638200e3b13fb17f78da3b88b59978520bff

SHA256
a58564061f3ec5eb257c120d0705f9897c0a28efdbe2bf641e798e0992e08ae3

SHA512
732d7a5c66c8b958edb93b9c7219187b056d037ea57d4a4eb88812fae889f33f78152a7dc58246d7a932c3764c0d6263f5301337a96fd3a42f16196a8cc4faa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2708-0-0x0000000074891000-0x0000000074892000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-2-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-24-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-8-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-18-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing