metamorpherrat | e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528e

General

Target

e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
Size

78KB
MD5

b72e7beb1ae1638ce457d13fa05d5fe0
SHA1

dbdb1a8ed3ad2011523a7c3b736ce4d0a1043135
SHA256

e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528e
SHA512

4aab0974ffe534b87bc05ff31a22fd2012655540012de8a7d974af53a84046dbc812498d0fcc6ba0d19dade5539885dcfe6c0ed4ba7df67f794a13bb5e63cddd
SSDEEP

1536:BHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQta9/rN1+x:BHFoI3DJywQjDgTLopLwdCFJza9/m

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2744	tmp83B1.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp83B1.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2780	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	30
PID 2648 wrote to memory of 2780	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	30
PID 2648 wrote to memory of 2780	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	30
PID 2648 wrote to memory of 2780	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	30
PID 2780 wrote to memory of 2688	2780	vbc.exe	32
PID 2780 wrote to memory of 2688	2780	vbc.exe	32
PID 2780 wrote to memory of 2688	2780	vbc.exe	32
PID 2780 wrote to memory of 2688	2780	vbc.exe	32
PID 2648 wrote to memory of 2744	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	33
PID 2648 wrote to memory of 2744	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	33
PID 2648 wrote to memory of 2744	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	33
PID 2648 wrote to memory of 2744	2648	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	33

C:\Users\Admin\AppData\Local\Temp\e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
"C:\Users\Admin\AppData\Local\Temp\e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\klqi7qly.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES843E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc843D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\tmp83B1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp83B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES843E.tmp

Filesize
1KB

MD5
ab3d5880680673b4e0dbfb2edf786045

SHA1
743a3bb7762bad16a7d8a327dc4a68bc7566d183

SHA256
331a77f4486efa69d1e7e4e06773ca2cafd34cb72bab27b612695cf7757ddb4a

SHA512
9c0687e6e0ed926c1285b57160e539922e4b1aba0930fa723f2f1903d3d9192dd1d061b17795b45a1dbbf74fddb8502534547549205c9c18eb1296d7b43cbe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\klqi7qly.0.vb

Filesize
15KB

MD5
0a262c084b94d14632dea4a48f99d47d

SHA1
6b6ace33d96e350349e97ce2bfd59ebf761d8012

SHA256
2ea8cf97f93666faa309bbf73054aacd1e81b05acdd26171535c2c6b0726f4ec

SHA512
53df5dc1cad00f2eb3e90e1dcfbd58862453b4d564b637f9771e9c17c836de13b3760e31204ae3aa40b83ff7c96990d7827044a594d563fc657b128120ea93af

Download Submit
C:\Users\Admin\AppData\Local\Temp\klqi7qly.cmdline

Filesize
266B

MD5
9c87af194dc7d270900a47245fe32fe5

SHA1
fb8d146b4bede65a86c73a2ccf5a3091589355f3

SHA256
243acab6152ce4c9ebf0196e236a5238f3e0de7c111c180755a0731b6f35c3e1

SHA512
bb35d9168e9aca0bec28ac363c13ef85563e9ca7a556c22db64eec22e5cb7f51ffc17463ca6fa30f5ea24dd32b3bf00159ff7dfe014e0883a795d03bf779b227

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83B1.tmp.exe

Filesize
78KB

MD5
7831c4f6107dac0c54d45dfae988f19a

SHA1
ba14e1bf354b1b905a2ac98b13a90afd58c45ba3

SHA256
bc902bff187e156167fb9b5e2c7433301eb6abd63c2ac78e35054c1fd9d7dc5a

SHA512
dcc1a91772108be1124adaa33424fb5a5532f9f50ed4961920716af77773ae56f1ec6e9e3c8e529977397caa4bcb71cdd74672039f161397e33510709d0d3d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc843D.tmp

Filesize
660B

MD5
6fac3f2b0b73b542d4520c421932c49a

SHA1
6cf182afb8024b57c0be0851747f498dfa4add70

SHA256
ad1c242ad1bfe5eebd021ec132bf4598f5dfc3a26c03d51dd390fba18705d637

SHA512
b7cd97234526d634addf6778b0261dce44fed4b33924fe3b88342d35092b5456c344afe4ebdf9b777f2142bdcda393b16f27f4a3d46510e46eb902a97d6a8794

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2648-0-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download
memory/2648-1-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-2-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-24-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-8-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-18-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing