metamorpherrat | 2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1

General

Target

2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe
Size

78KB
MD5

7302df4d178efb9c92619bd6c5687fa0
SHA1

336b110f1f5fa2277f13c9fdbb9c5866ecc2ee80
SHA256

2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1
SHA512

e68debadb28ead4f210bc6b37cdc4d1a2a4d3d4db6179e779a98aedad38ba94f0269512409f7ece17bd6dfac27440b6c0c39189bae42c4aa4e58d47fcf2f1fdc
SSDEEP

1536:TCHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQt/09/g10E:TCH/3DJywQjDgTLopLwdCFJzM9/w

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2632	tmpB2CB.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe
2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB2CB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2324	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe	30
PID 2976 wrote to memory of 2324	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe	30
PID 2976 wrote to memory of 2324	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe	30
PID 2976 wrote to memory of 2324	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe	30
PID 2324 wrote to memory of 1864	2324	vbc.exe	32
PID 2324 wrote to memory of 1864	2324	vbc.exe	32
PID 2324 wrote to memory of 1864	2324	vbc.exe	32
PID 2324 wrote to memory of 1864	2324	vbc.exe	32
PID 2976 wrote to memory of 2632	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe	33
PID 2976 wrote to memory of 2632	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe	33
PID 2976 wrote to memory of 2632	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe	33
PID 2976 wrote to memory of 2632	2976	2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe	33

C:\Users\Admin\AppData\Local\Temp\2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe
"C:\Users\Admin\AppData\Local\Temp\2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4yysbmbk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3C5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864
- C:\Users\Admin\AppData\Local\Temp\tmpB2CB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB2CB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2db3dbc2d47de9fc7df3f48f4b8534cce6d2bcb4b6da23cadb28793fcd7700c1N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4yysbmbk.0.vb

Filesize
15KB

MD5
97effc96c4bdccd7fb66ad21b0c97e00

SHA1
477eb632c2fe7432167fe049e643ac136934b311

SHA256
36fde3bb9e51b75f171ef832c9b52eaff885932ed315690e056088d16a427afe

SHA512
20107104cee03a6cb7dc052ab3495c31ba9119236c2290fc3c936aa6658df126410372744cb1e77db6672fc5b2bbd3c5e7f995ed83a5cb623c2dc64389f53173

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yysbmbk.cmdline

Filesize
266B

MD5
543941730ec16b2633ecc56e2ce834d0

SHA1
c321f0b44913004dab3142dd8ed25ae74655a634

SHA256
edab92fbd897245af966a1439e9aa320504b7774ca0dbc86e58442d118294aa3

SHA512
caa617cc43991b3725f1c3583cae0eac1014447ebdc51a00ad2fa12da798f20fb2ec7e925ec608e8932dc6973a557b7955a7f39ae3ce77bd2d79c36b459d785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3C6.tmp

Filesize
1KB

MD5
188a686b4957938b8340d789705d93c5

SHA1
0522a6e577b006aa582d9f6767cf7de5d2edc1b9

SHA256
a365da608eef3621ec771b201bdba6ee49eb72feb4bc30cd3b14c6db0bc9a5ac

SHA512
74a6a2af057cd1b2ac49e183012d952d0b3830cbc04610d93af55aeb9079aa941cc189845b37599f3ca688752e0696be7e4acd0b0636beadd7bf7500ca3501a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB2CB.tmp.exe

Filesize
78KB

MD5
0f6574d50ce8d8c8eb94cb999df379b6

SHA1
6871ade1cad0e9689174cc1b3c1f0a86f319016a

SHA256
abfda14ad244eef194f0c1279647b5f7ca3a5f31ed87fa74bc9036268e4e7f54

SHA512
fb5f525006ae286e10dd917838303980d160a520de34f1e0b15b4db9173dc40d06a277c6526d3bc043a5710ce30cd2102f2418978f76b2cfe163f45c549a6927

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3C5.tmp

Filesize
660B

MD5
8de17905e7fb919d1f45256d45825b8f

SHA1
c85588ec26982a55d700ca408405060aa369c012

SHA256
0658e7c3539a784062e591e531b4704a1c610b66d4d250a3d4335e89e7e65032

SHA512
b467a63ea9cb8300b157b83be096aa04bb9feec73d2b684b2451242079309f2112ebac6f9a795d0e4e4934518f0772b8949c882c89228f99cfab369c65fb7652

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2324-8-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-18-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2976-0-0x0000000074B71000-0x0000000074B72000-memory.dmp

Filesize
4KB

Download
memory/2976-1-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2976-2-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2976-24-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing