metamorpherrat | e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043e

General

Target

e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe
Size

78KB
MD5

40ba47bf897852f9d96c1ad5bec8d870
SHA1

12f0ddc8fa5a8c00b5fa520c7081c413ab298f7a
SHA256

e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043e
SHA512

f26decd39a1d50d4b90fc1a078cbf9231d5d835ddc7007bea2c3b322c586efa83d04e1ffd4bc508e05791f87bf84a6e8802b2d981dc4361c344978ade1c93d79
SSDEEP

1536:8PWtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtG9/D1B+:8PWtHFoI3DJywQjDgTLopLwdCFJzG9/y

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2160	tmp87F5.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe
2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87F5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2940	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe	30
PID 2512 wrote to memory of 2940	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe	30
PID 2512 wrote to memory of 2940	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe	30
PID 2512 wrote to memory of 2940	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe	30
PID 2940 wrote to memory of 2880	2940	vbc.exe	32
PID 2940 wrote to memory of 2880	2940	vbc.exe	32
PID 2940 wrote to memory of 2880	2940	vbc.exe	32
PID 2940 wrote to memory of 2880	2940	vbc.exe	32
PID 2512 wrote to memory of 2160	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe	33
PID 2512 wrote to memory of 2160	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe	33
PID 2512 wrote to memory of 2160	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe	33
PID 2512 wrote to memory of 2160	2512	e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe	33

C:\Users\Admin\AppData\Local\Temp\e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe
"C:\Users\Admin\AppData\Local\Temp\e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y8larx8i.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88DF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\tmp87F5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp87F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e6bbcd209453e016fa8b4e88dd17478239a9b304dbacea80fcaf4ce74bd4043eN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES88E0.tmp

Filesize
1KB

MD5
0d7592c1545a6397aa1579821a5c884a

SHA1
1688e5d301ce27e2a624966b7aa1d734af00db6b

SHA256
f91ae729c0a83cbbce00f98068a7daf700127b85b1807b8497ed35cdb56d6b45

SHA512
7017bfb0c4ae3304c06e5f04836ec48235f7a4a5b8c004f7b129c9938d03c1cc0aafc89196dafbc18342c99a6746845f6cc2f3db8891a91ee40e0874e6c518af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87F5.tmp.exe

Filesize
78KB

MD5
e2431d502d6729b484bfcc65733f222b

SHA1
6609f542d40526ee0761d86602fb1670945dc863

SHA256
ede080a35e12bbdf8da9da9eedf467403be26e133c0b0ca0b362133f09f5d8f6

SHA512
1793543a14aaa24839995c00d18a04c2dcc3392e6a4bfa5ed3206a9597671a8f62ae2dc5345a9cb919a4fa0e85be9d726e1914873833ac41f8f0b1ff435b5d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc88DF.tmp

Filesize
660B

MD5
2181250b8191d75b3b68e18ec05ad024

SHA1
cc2aaca8da1bb93ec8f3de1fd54b243f25ff8164

SHA256
78f27a5e654aafaa2293b21baf8853ee6618d36f110a51072698723a651706d3

SHA512
edfb240be38cdebed4937a620b8e4b1ebbf81390e41289a6ba7922beb09ae799a22e339deb6b58603ade1200ac95e562676a6ebe77f0fa6e75095c805761b4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8larx8i.0.vb

Filesize
15KB

MD5
34c71c50a1efceec9ba1219905802fe2

SHA1
e6f448623f69dbe7ec196a96261c24a6fce7d4a1

SHA256
e4d5a7831c3b9021bc8ff77d07700ab676069b36ddbbcf2838dcf378d56f3040

SHA512
14fee79f836afe5a268707d99b6580bdb0a3c2fdc78301887d52bec99e85eaf80630b8205862572cf6c7bb7ba5e778a8ad53aa7e10fef8c3dc93ca8bfb2931a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8larx8i.cmdline

Filesize
266B

MD5
5c9dd4fbb04f4574fe79c34e2161d289

SHA1
f00c8d7b93a7064f6ccb1bba3e8e4d7cdcb759f5

SHA256
6dabf3fdb8f1609ba9292efbe802fc80c198d6eb2d7f4244495248471a09d0d4

SHA512
d9e451f70c2ce7451f58dfbf4bf7807c7e7f04960aabf70464a6906cd9b7297c650bff7da19677803c9877566c233614e418df0b6a64c5b102df4b43def269ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2512-0-0x0000000074411000-0x0000000074412000-memory.dmp

Filesize
4KB

Download
memory/2512-1-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-2-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-24-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2940-8-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2940-18-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing