metamorpherrat | be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c

General

Target

be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
Size

78KB
MD5

1c7327ce77601ba4265336d2e9ea82cd
SHA1

ab1ad762473ad932f162eb9db4aa5b65cd3f9f72
SHA256

be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c
SHA512

b7a1675b845fb50c98789b7343b024241d97227e3a026fb73260964231a95f4b4af901840c6a41e4595922db12d160e8d2efe270ef36b31dac752d36dcc30d01
SSDEEP

1536:RYV5jSepJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6f9/UZa1LF:GV5jSwJywQjDgTLopLwdCFJzg9/Oy

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2844	tmpF316.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF316.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2216	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	29
PID 2328 wrote to memory of 2216	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	29
PID 2328 wrote to memory of 2216	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	29
PID 2328 wrote to memory of 2216	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	29
PID 2216 wrote to memory of 2956	2216	vbc.exe	31
PID 2216 wrote to memory of 2956	2216	vbc.exe	31
PID 2216 wrote to memory of 2956	2216	vbc.exe	31
PID 2216 wrote to memory of 2956	2216	vbc.exe	31
PID 2328 wrote to memory of 2844	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	32
PID 2328 wrote to memory of 2844	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	32
PID 2328 wrote to memory of 2844	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	32
PID 2328 wrote to memory of 2844	2328	be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe	32

C:\Users\Admin\AppData\Local\Temp\be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
"C:\Users\Admin\AppData\Local\Temp\be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bewjq24s.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF529.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF528.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
- C:\Users\Admin\AppData\Local\Temp\tmpF316.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF316.tmp.exe" C:\Users\Admin\AppData\Local\Temp\be7a4d8d37b587433cfb6cab1d2910c6dacbeec97b87f4b31d9584dcc223132c.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF529.tmp

Filesize
1KB

MD5
0af75bede2fe709a9c5e2e32e186b031

SHA1
f373d92a767ca45a1adc0274e6001d2411cdbfe5

SHA256
07dc06e1ce5dc01493d02212b30efd7f2ea918fe1c5a147285cb258b691b4208

SHA512
e3947cd73caf7e0706f9c060a12b7336d2f366fc80903d61f8eba69cbf45bcf969d1b3faca329c96c9da16c61d57e294d5b743d2328000d05bec20e8a4b1bc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\bewjq24s.0.vb

Filesize
14KB

MD5
2b1e8e4f53a8049daa6d64db1428b372

SHA1
50a4bd8c45f4e4787a96087503fdbc167e9528bd

SHA256
b2cf4454a10c25c1ae2ad3aee89dce453031bf974e6ea8a2a23d606dd48d0e73

SHA512
7efe50f8cfe5d65f7904cdbdd37702fd50b6c9653f3c80c5c7330f1c190968f7394f58e521313547afcf1ae94c02c6fd03d7ed8b9b90e764a37080ec32d3155e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bewjq24s.cmdline

Filesize
266B

MD5
93d4e060e6dd6e9b6a024ec8bd2d0cc7

SHA1
3b8f91d14d96f2d796761e4d3f9a7872fc66294d

SHA256
b749a5897eb5b3ef5a8a975bf4120bb7372720cc58b62f1d9b08cb0b9977afb0

SHA512
9956732ad609fa0c9982b2598d7a0c937e48e8b095436f90f01e4c9c5e32d1a157f5de4be7836b65d880916522fd973a0eb4aff16a1c26644152e37bf164c73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF316.tmp.exe

Filesize
78KB

MD5
45ef64d55dc0cfbac44170481918e37c

SHA1
c28e0a17b9fe2e5d3b32a5c191b7499eff4d54ec

SHA256
1e22bef3a31e5e72553c2981b943822e89be395b1c66ee90ec657658cff5d2f4

SHA512
ae72baf7d1c040a1c3b5cbc6cbc10dee39051f0814f5cd8d42fb8fd79fd69b112c7e02ed21ef3b1475de15b2f8424bb1163e0fa3d8ccbcd53c87001eea498e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF528.tmp

Filesize
660B

MD5
ff0fe46102649db6d6ff00eec26224ed

SHA1
f87abb365c8993bc632a0bd532f59b92364a9f2a

SHA256
fa67aa4e4bea394005139ead84a7d627ad7cde4642bd21eb4e0ca6d95731478e

SHA512
c8146e57fcd60d4e516c4455d7c38eb94a73cb9f67af4ca9d0d466059a61ab8b1b2dcae3d9aa80dfc3724ed83609d6c08fec5df3c6c0709c3740f227609d10c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2216-8-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-18-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-0-0x00000000749F1000-0x00000000749F2000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-24-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing