metamorpherrat | ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8

General

Target

ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
Size

78KB
MD5

25948a6c3218dbfcaae96f2e3c3a14f0
SHA1

f57137bba0e9610dac65f2780f5ffde89f693618
SHA256

ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8
SHA512

d2a3d3d58bae8d1293c4afd7b93253bf2b377043c94740f6720991771ce350a4c448fbbdae9baebd3f4313b97635d3ab9289e94830f3698e07b416b5c7533772
SSDEEP

1536:nsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQts9/R1ss:nsH/3DJywQjDgTLopLwdCFJzs9/l

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2640	tmpDC1C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDC1C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2040	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	31
PID 548 wrote to memory of 2040	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	31
PID 548 wrote to memory of 2040	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	31
PID 548 wrote to memory of 2040	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	31
PID 2040 wrote to memory of 3048	2040	vbc.exe	33
PID 2040 wrote to memory of 3048	2040	vbc.exe	33
PID 2040 wrote to memory of 3048	2040	vbc.exe	33
PID 2040 wrote to memory of 3048	2040	vbc.exe	33
PID 548 wrote to memory of 2640	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	34
PID 548 wrote to memory of 2640	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	34
PID 548 wrote to memory of 2640	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	34
PID 548 wrote to memory of 2640	548	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	34

C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
"C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axvtmqaj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCF7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDCF8.tmp

Filesize
1KB

MD5
dc5278a2f70722f96ec7eff6c9c8f97a

SHA1
8b50bd12e35d1682e28aff29b1d6e9feef475aa4

SHA256
abc6a99d84f561bbfe97a1f4d7cd494412b2fe3141c6cada3533ce2821b3f98c

SHA512
d24e875310ed2af468133e99ae036f6463b2b5e7b34ec2f4ef32b4166643b60005785d4405c1ae5b120e3e103aeae6c8d4139f92afa10d3691bee41940ff5211

Download Submit
C:\Users\Admin\AppData\Local\Temp\axvtmqaj.0.vb

Filesize
15KB

MD5
fee976114be8cf900887f4563382eaf8

SHA1
2128143fe26026477990b7c1bc1e7fbffc486298

SHA256
9341e07bbde38c60565b34b418c9689e63f0ad0bc510310a6303012ee9d0aa10

SHA512
a70a86d93d00e5c2c2919c5d25fca31633a90e1a1481461f26d8aabc138d8d2f6d2848e9bd9bcea8fb44e845a55d02c76475a85f74f36d4da8849a682c2fed33

Download Submit
C:\Users\Admin\AppData\Local\Temp\axvtmqaj.cmdline

Filesize
266B

MD5
994120192234f8b7e53531bf761d3bd0

SHA1
b0a050df77761f370e923b0d4d732c978332e4da

SHA256
5ea50141a9b72c00bcd2765890a39fa7c9153f83ce61d8e422a2f49bc15e2261

SHA512
8327fedf59e5e30714c33b7af0aae4860bfaf7596ef3d44d34c127499bb5847a9ca5bff9c87aa9992e972329f1a0936d641e708663c6e6c4eb1a038b66245e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp.exe

Filesize
78KB

MD5
1b69a98c4d330ca953a9569b175d4c7b

SHA1
8e802944aa8faab1b4cc8cb7d8303980e07d3cf2

SHA256
e23c7a8886f44455215871973ee19ad61d2bfbe418766b48909c7713531dfc6d

SHA512
42f5c8ac970e951da17c7b4141e1e5dbcc564894f6037569ee3058d77ac73301305a82bd36b9ee0766563d8a8cf59b5745f72f6e267cc7a957d38f0ecc68fa88

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDCF7.tmp

Filesize
660B

MD5
04e189966da3551c3b70a4ab4fa83a89

SHA1
40fd791e7d11edbe6dfb374337077d18934a6bcb

SHA256
c6701a9c014d44b8330a83d5689c3484a3e49303dbb1d74f35d58b8a5e2d9376

SHA512
976f4f669962ece55cb1c1469dc1da88c267f5b7b7d2c8fdda1eb271001a9a8d1bd939ff34d1816ad0bea2c36b6f23b015d4ad74eeb49f90c118f026fa4f7281

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/548-0-0x0000000074711000-0x0000000074712000-memory.dmp

Filesize
4KB

Download
memory/548-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/548-2-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/548-24-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-8-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-18-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing