metamorpherrat | 61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f

General

Target

61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe
Size

78KB
MD5

1c227b44a011fc0476634bcafe7da266
SHA1

3f0b8768ec4e11255caaaf8b11436293b85b319a
SHA256

61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f
SHA512

e782c199e485374e752324706afffbadcaf5ffb688f90b21336515856fb4c90ed10802657db78ac714d435a7aecb85f2f59d47717624d31a89c79a2b3ec69dd0
SSDEEP

1536:nCHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt9/k1x6:nCHYI3DJywQjDgTLopLwdCFJzt9/J

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1504	tmpBEEC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe
2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBEEC.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2060	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe	30
PID 2416 wrote to memory of 2060	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe	30
PID 2416 wrote to memory of 2060	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe	30
PID 2416 wrote to memory of 2060	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe	30
PID 2060 wrote to memory of 2528	2060	vbc.exe	32
PID 2060 wrote to memory of 2528	2060	vbc.exe	32
PID 2060 wrote to memory of 2528	2060	vbc.exe	32
PID 2060 wrote to memory of 2528	2060	vbc.exe	32
PID 2416 wrote to memory of 1504	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe	33
PID 2416 wrote to memory of 1504	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe	33
PID 2416 wrote to memory of 1504	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe	33
PID 2416 wrote to memory of 1504	2416	61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe	33

C:\Users\Admin\AppData\Local\Temp\61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe
"C:\Users\Admin\AppData\Local\Temp\61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adspvpwu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0FE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\tmpBEEC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBEEC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\61e1ccaa1003bfe37e8e148e8d3a5cd9ef61935204fdc28d1a3389074da49e3f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC0FF.tmp

Filesize
1KB

MD5
5b2fdb5c2c7b6e5a8e086bc32548f41d

SHA1
247ee81034804e703705ada76160f157fc406b55

SHA256
c74c5c2d576811174b32efcd72bdb1d87e629e44ee900c48328d07ed2c138389

SHA512
c9febf57dc764e48e5cdb3eb84b6e352084887f08884ccd968091cfd09d409b01df29a288d106a370c07d44918037cde9304cb21dee6c4cc57d4694f3a4ebf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\adspvpwu.0.vb

Filesize
15KB

MD5
d6622bc8cc6d0fe10e97592d8f468509

SHA1
552d26a59c9c82373d9a6f0dee6fb9bdffb7291c

SHA256
3a0c75a3c305fde2697b7828ebdf43b02b8fbd633518bdf924c6f0a4e4fe0379

SHA512
c13298df705da44ca3ee2a5bf676e1324c2982c29498473ca0c53920c6906cd03aea80bf049237fd46946fffb373abcafd84274868ea619c2b79d67b8e0288fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\adspvpwu.cmdline

Filesize
266B

MD5
7eb56abc2af107f3e6212e071adc5970

SHA1
1432b524f75b97314f6e7c3c31f888b53a3ece0b

SHA256
59fb306e70423cc1fcc22f850e31d2ece63ee3ffa6b4fc7fbb7d4a74a98cbda8

SHA512
ec194db83e11a1a91dc1311ed25268b1ea0912ca68a3e1c869648ecb628156d553132ad816b8cbf484b754dc3760f142aa3dc4fe56c4734087e886f792859c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEEC.tmp.exe

Filesize
78KB

MD5
94ff8e735397dca3e235ae5dc645db0c

SHA1
880aca20b7762e8b15f6b9f477de19b1d1fc37ca

SHA256
88f5082e93de003c6e42eed3a5897f7747d5980689f7348b9073b6993777a182

SHA512
acca52f11fe4c3f3305313d14f7465bd4eb59b839a2470994b16076546f9201bcbf7bd1a496a84dd3040c33505156a2ca146fc3d332124a8e01ef0a470d4d462

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC0FE.tmp

Filesize
660B

MD5
512984383e736b579af244318038f0bf

SHA1
c83cd166b38d972656591ce99728ea5eeacf66b9

SHA256
e4ab8e49c2b60384ed6ddedf661a080096f533f05a607ff904c7332f200e8fc8

SHA512
3aac6f230e8bd70bf20e353afc68a5b9ae3eb60a797cc37cc365cf59f4669818456aaa5eef1ca4e8be51c01fa3e6b63081691b07b3de2aa626e1f734d7344920

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2060-8-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-18-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-0-0x0000000074A01000-0x0000000074A02000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-2-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-24-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing