metamorpherrat | e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528e

General

Target

e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
Size

78KB
MD5

b72e7beb1ae1638ce457d13fa05d5fe0
SHA1

dbdb1a8ed3ad2011523a7c3b736ce4d0a1043135
SHA256

e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528e
SHA512

4aab0974ffe534b87bc05ff31a22fd2012655540012de8a7d974af53a84046dbc812498d0fcc6ba0d19dade5539885dcfe6c0ed4ba7df67f794a13bb5e63cddd
SSDEEP

1536:BHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQta9/rN1+x:BHFoI3DJywQjDgTLopLwdCFJza9/m

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2736	tmp79D1.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79D1.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2364	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	30
PID 2936 wrote to memory of 2364	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	30
PID 2936 wrote to memory of 2364	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	30
PID 2936 wrote to memory of 2364	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	30
PID 2364 wrote to memory of 3044	2364	vbc.exe	32
PID 2364 wrote to memory of 3044	2364	vbc.exe	32
PID 2364 wrote to memory of 3044	2364	vbc.exe	32
PID 2364 wrote to memory of 3044	2364	vbc.exe	32
PID 2936 wrote to memory of 2736	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	33
PID 2936 wrote to memory of 2736	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	33
PID 2936 wrote to memory of 2736	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	33
PID 2936 wrote to memory of 2736	2936	e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe	33

C:\Users\Admin\AppData\Local\Temp\e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
"C:\Users\Admin\AppData\Local\Temp\e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ah3wacle.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A9C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- C:\Users\Admin\AppData\Local\Temp\tmp79D1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp79D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e611ee658986008d3dbb24266c69f9c7fddd447028ae7739d98e2c8cb4a5528eN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7A9D.tmp

Filesize
1KB

MD5
dcad72330ff1a2aa581126cc46b2380c

SHA1
aa85f701c476e90ee83c32f85a3bab1e82aa20e0

SHA256
c4bd48cf944bdfa230813ee8377dbf7f818a970da287153675a21f35f4441128

SHA512
404142361a940a504a579ba3855265b62479b9152377d7e28c46ad0ad297c5bccb7e051e6a80847598e5c504efa74f3e3c23357c9f98ae7d0fcbf9201bbffb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ah3wacle.0.vb

Filesize
15KB

MD5
2cc0ba2570ea13c4fd1ebd29415856a4

SHA1
2806b24fbef95456d18a4b6928528055f1a8ddd7

SHA256
7d098ca018b921c3f8fae165bc600bec24a66357e82788472ce42965ee4ec181

SHA512
2a3530dad786e33fda1701726353b1fc6cacc848ba3c9194ac4ccdca1baa07d3d01e146095941ceb32247774d3ae0928a47103fb0a711d6464467a7cb3d82431

Download Submit
C:\Users\Admin\AppData\Local\Temp\ah3wacle.cmdline

Filesize
266B

MD5
74edca32fd4a09e1826c33e670c0721a

SHA1
f6de42d054b673f8331195e37ce3ccd3350c8e19

SHA256
a6e408ee6b8064a310fffb33edc30c3cc40279cd80a246b109e8a19c441d295a

SHA512
bc5c87a13dde233401f884c1d389569efeac9c4a6bf21b5ffe79f0431bb89f9bd7be9d21ca63dbcdbaf49d997630ad7a0e144e53f6e74b091a81bde435a0feda

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79D1.tmp.exe

Filesize
78KB

MD5
07983abb8d3542e6ee7d7534a1b08751

SHA1
73b9dccf7feff22badd60e9a33f28267f203acc5

SHA256
1acb9c187ddffbf7673ace1e058826b09082d8bb04892905835f9ee41219420e

SHA512
0217132940c35ec2d145378b2625c9dfa8849559561b4e8f6915c35cf7d5b78412b8b71b25a66c53877a04baacf868f7d196ff6aa7c431cfedf6487cf52cedc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7A9C.tmp

Filesize
660B

MD5
bc68b995c42716ca1a77333ae78bd213

SHA1
31b82d75ddb4435c52c0aef4e6de60b839af8fd2

SHA256
215d324a51ef781dbaf1818b93239b25fca21fc63c9d85ab40090c7613c5e12f

SHA512
0c548ab5af4a826beaa555f2bc5fd5f5a6966fd4f8f9fc95e4753b4f0efe34ca950f14c4c0f96043bdfcf044f3659d713e86bfa9d9064b5f8b2f3897f8f0dbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2364-9-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-18-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-0-0x00000000747A1000-0x00000000747A2000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-2-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-24-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing