metamorpherrat | 9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce

General

Target

9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe
Size

78KB
MD5

a65d5471494205d04c4d4af7d76c4a48
SHA1

5ad8f0f736afb35a120891d67c1f5b8861cec767
SHA256

9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce
SHA512

b0750bab52331c52b9223eeeadf7229b61f53da7eb3de335788661e94f01a87dde7d67fad38fa4b41c1f6488c7480016905717e6216b16a206936b7fc02b94ea
SSDEEP

1536:gxWV58IpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6U9/u1zo:sWV58mJywQjDgTLopLwdCFJzc9/L

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1700	tmpAD11.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe
2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAD11.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2452	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe	30
PID 2708 wrote to memory of 2452	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe	30
PID 2708 wrote to memory of 2452	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe	30
PID 2708 wrote to memory of 2452	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe	30
PID 2452 wrote to memory of 3000	2452	vbc.exe	32
PID 2452 wrote to memory of 3000	2452	vbc.exe	32
PID 2452 wrote to memory of 3000	2452	vbc.exe	32
PID 2452 wrote to memory of 3000	2452	vbc.exe	32
PID 2708 wrote to memory of 1700	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe	33
PID 2708 wrote to memory of 1700	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe	33
PID 2708 wrote to memory of 1700	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe	33
PID 2708 wrote to memory of 1700	2708	9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe	33

C:\Users\Admin\AppData\Local\Temp\9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe
"C:\Users\Admin\AppData\Local\Temp\9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kgdtazb7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE78.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9eb0fd18cdb9d015595fad290e9968f30f706f898644134ecc4a9e543402d4ce.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAE79.tmp

Filesize
1KB

MD5
82760c058db3034dbc0e0479efda8366

SHA1
3c0e494648a47498ea85438c9c10428d65136fff

SHA256
b41a53007e64b088400aec550961540e3af3ff83735ab6d8fe20383d7e209000

SHA512
084310a9febd74463ac8a6a756f0fb2f45fb9f84e1b63d0b40009e09fdf2310703cea51f2b40c2d567deb856ca688d566b426d62f8b45c69633e366b5effe27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgdtazb7.0.vb

Filesize
14KB

MD5
90dd2316c27e032631ceb8efcc1adb10

SHA1
0fe1180713a34932fca1b239cd8b2d5ad68e8b66

SHA256
e7258197e4a28499cbe3ed446d3f1bf7144eeb46f4e6466af7f24394e84013ab

SHA512
c534e61e15386d9095eb975e15b43435c6f4ef737fcb2a17788c8d2f33e6df8e41aeab477d2f9f437b35c5ea2beb0b371ab61609e690582a36337d2f41f83c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgdtazb7.cmdline

Filesize
266B

MD5
7e6d5966314d2a6f4638d6de3b048875

SHA1
b39baf55bcd56e20bef6a034fcec09c7454e333d

SHA256
b504027594d535f5b91ab20bf395e2810c7d0e986ae8d25df255c3c9431613af

SHA512
fcdd6163fecfde10c93b7d2f4a947feeaf6b83209f4ab4a00f44aa107b0076667e16dea47650e49d455bc027e43ac9fd36534d378218a64597b6f1c57692e4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp.exe

Filesize
78KB

MD5
7f931e409178c3415f16c737b351b0f1

SHA1
4c27093707cdbc07a795c3e64bfd8b509cedd3b8

SHA256
406b06ba019177fef558bf920fb9dd715c16a5232972333d19581209252fe5c1

SHA512
bb19fe5da0522b76300d89a5a01f53ca1a150fbfc3b18152386069f07bd58c424daac394935bcb33e197e1e260043c820e987d56d07129a67eef9bb8179ecfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAE78.tmp

Filesize
660B

MD5
355050eb33da49e31fa24533a186e3c4

SHA1
24cf61502a6b519073d9f161b2664cf4d01a5ddd

SHA256
7af375594f973c472d64609b6e89cd121f467c7f3066aaca71f92ea4180d5558

SHA512
970ccb42b7a361aa1ae9e4ce6034099cf58043d31a96037a14590186bae4c707df1cf288146bed03dba1a704b649318fbda61530c8a211bdfb70e90ca0018bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2452-8-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-18-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-0-0x0000000074EC1000-0x0000000074EC2000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-2-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-24-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing