metamorpherrat | ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8

General

Target

ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
Size

78KB
MD5

25948a6c3218dbfcaae96f2e3c3a14f0
SHA1

f57137bba0e9610dac65f2780f5ffde89f693618
SHA256

ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8
SHA512

d2a3d3d58bae8d1293c4afd7b93253bf2b377043c94740f6720991771ce350a4c448fbbdae9baebd3f4313b97635d3ab9289e94830f3698e07b416b5c7533772
SSDEEP

1536:nsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQts9/R1ss:nsH/3DJywQjDgTLopLwdCFJzs9/l

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1956	tmpCB0C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCB0C.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2384	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	31
PID 2160 wrote to memory of 2384	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	31
PID 2160 wrote to memory of 2384	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	31
PID 2160 wrote to memory of 2384	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	31
PID 2384 wrote to memory of 2308	2384	vbc.exe	33
PID 2384 wrote to memory of 2308	2384	vbc.exe	33
PID 2384 wrote to memory of 2308	2384	vbc.exe	33
PID 2384 wrote to memory of 2308	2384	vbc.exe	33
PID 2160 wrote to memory of 1956	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	34
PID 2160 wrote to memory of 1956	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	34
PID 2160 wrote to memory of 1956	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	34
PID 2160 wrote to memory of 1956	2160	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	34

C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
"C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9w4p_0un.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBD7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- C:\Users\Admin\AppData\Local\Temp\tmpCB0C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCB0C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9w4p_0un.0.vb

Filesize
15KB

MD5
f5d6bd6ff6deed9aaf50c36c13028ce7

SHA1
d4336c83e26386cc325bd9d225760bb5e2b29797

SHA256
3fd0f3969631aa867272210150643183d77b48174a9274513b702a34fbf8cdff

SHA512
727f937b936871e56ce1d5f85e311f3fadfa1c95422129c544a027ff629657575a571e8fb4bae1792c590000dd5574091ba1e5241b674c1be88a483831377b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9w4p_0un.cmdline

Filesize
266B

MD5
a16bb51c75177b99f0e6146f48e51456

SHA1
f37f537406c0d01b4dc6ea315d01f11672846c89

SHA256
866829308e3645428f1bf353f7e7382ccfcdf5adb73bd2e34000685c3dd5a6b4

SHA512
517f0e08bc3c8bd77414cebf00218f004e77b18f0c078f3379b13d8c140d4f2055ecbb86648fbb11551bd18779998065536a7d5f7979c1a9b4f8d86b77b15443

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBD8.tmp

Filesize
1KB

MD5
35b4f14a16e9e8b8bf97b912c6993a86

SHA1
416094dae91d74c609c56ce4279bdd5bd90e54ef

SHA256
27ffade988ab5ea393927f83107f1304cfc8d42c55ee40500eb590da5f931779

SHA512
4d8453c72bf4a77c273947720b343723a0e52592580abad2289eb054034706951f2a38f199ba422f7b8dc0c01d6bdb4be01ca75269083aa93f4bf184a059100d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB0C.tmp.exe

Filesize
78KB

MD5
fd3322e70a2c8c68ef83c5a6fc4f96e1

SHA1
e80edd6b1c09cc393ce39ff8cc71920106b82201

SHA256
ab15f15f7a927fd6e3c61e4bcb5958d5de2bd6235b8b79fd627e6729d86725e7

SHA512
f0446315a85f9149abaa4d0386898efa494d1a7e589fc2d5b1118c80579de8bc5625ae79c7d81a13e95cea8583ed7c5cb9dd5bacc1e1b19f421fc615620a353b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCBD7.tmp

Filesize
660B

MD5
29a0173e52eaf1513e4d1e8185616277

SHA1
7084544eba12841dd4b17758ff6b6a8e8e5004eb

SHA256
36de58e1bd190035ba986e57b4962b864a4bea5dda1af9697f713105dcb31962

SHA512
0d601269e70ed192de73d9d7bc82beeaf282f27a4fca688ac3802befbe8cae8c31d8d11f68f63a78cbcbaf6637c2008ab9cd7975b7d7121110bafd551aa29932

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2160-0-0x0000000074171000-0x0000000074172000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-2-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-24-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-8-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-18-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing