metamorpherrat | 190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061

General

Target

190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
Size

78KB
MD5

daa403e3352b2457a3c6446877612209
SHA1

b69c26b5d22257793cfcf4e06a6ad9dd097da72a
SHA256

190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061
SHA512

a4c5fcc13aec1001eefdf51b47b9dd7a7b1d358eba5d27a774222f5bdc34c1571aa901bb7af95fb04b1d7352c6d18bc618109d4b9bc17d28a3d9c46160907a93
SSDEEP

1536:wc58YpJywt04wbje37TazckwzW4UfSqRovPtoY0BQt96A9/n1mI:wc58WJywQj2TLo4UJuXHhn9/N

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2272	tmpD9AC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD9AC.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2472	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	31
PID 2464 wrote to memory of 2472	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	31
PID 2464 wrote to memory of 2472	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	31
PID 2464 wrote to memory of 2472	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	31
PID 2472 wrote to memory of 2500	2472	vbc.exe	33
PID 2472 wrote to memory of 2500	2472	vbc.exe	33
PID 2472 wrote to memory of 2500	2472	vbc.exe	33
PID 2472 wrote to memory of 2500	2472	vbc.exe	33
PID 2464 wrote to memory of 2272	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	34
PID 2464 wrote to memory of 2272	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	34
PID 2464 wrote to memory of 2272	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	34
PID 2464 wrote to memory of 2272	2464	190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe	34

C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
"C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axsuovdu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDAB5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- C:\Users\Admin\AppData\Local\Temp\tmpD9AC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD9AC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\190b685023f0920a9e586666e4d35cba06521a5c795d9562c75bfae875e8d061.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDAB6.tmp

Filesize
1KB

MD5
edf5f06bb926086121b4550edbc19ffb

SHA1
a22bfd71d0cad879ddf154073bda4287ad779400

SHA256
30df168a0e4e705b8dd57f5d215350931710728cd5010bb3ce85ba6a08a4de2b

SHA512
c636e49b64c16d143ba306471430ecb5ea273b00440a44b30f6d1d1c76194552bb9b0bd025aa9fd4b85678510c279d9ab741cb031290b16c33e65832264733ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\axsuovdu.0.vb

Filesize
14KB

MD5
3d61f670a8434da64de9d5d949ca5dcb

SHA1
dbd6e66c01bd22ea6b541954c0cd17748cfc6889

SHA256
c1cf6f601ef6246d1ea418d4f01051f71f056d1267edfb6b3192f7e05d35c5a2

SHA512
9dd38ec421182bb438b14d9351b4775f2eb48151283bddd9007f9fe1469fb1a50cf47a821eae3001f17a3878eafabe3a0ceb16485ce22a1da24caffbb0951f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\axsuovdu.cmdline

Filesize
266B

MD5
d54cca396068554f62d4e017fb5c4e91

SHA1
3d98e5b02e155821d39f5873b4a7ee67220b6ccf

SHA256
394210cea6b47442ffff1b6ca450e7fd7e31730a0e0b750c3ce3255d3e00faf8

SHA512
4562a7299082b0b7e7c2e96367502ec27586be921f96515a6a941efba71a2f0610be708e2210436b7e12a3a38e1c7cefed9555fec0e8b7abec06f92a5536ce2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9AC.tmp.exe

Filesize
78KB

MD5
1ae0bbd7ff1362ef297b1e11535ce69c

SHA1
63ee2dedb2886fcd2974c14e639d71d9bb72a15a

SHA256
16efad86e3ff42fa348f37c1b45443710cb0689454e3bd4392c2b6ca596c6a5f

SHA512
4325beee27e4ccb71b37f3f187079f4dc319aa6d805ebfb40ca424f3ac741c7e28463a5dd175df113ca530ab44e34144e858cd727082919fae2d219d0a592e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDAB5.tmp

Filesize
660B

MD5
b4ad0a160a1af2f45a0c1492c9fcac27

SHA1
6713177db040be2f415086044909bd3d6780d6c5

SHA256
589a62db086ea962723b0116106728e3596ec9ca1521a3feb98c6563d4ecf416

SHA512
2c30c59cf9c9def5bb915666a368ecabf34eb1635a58f12ab48b80351d18948e3eb057262dce01417791f6393a134627ef210113e41ce8a9ec1e5cbf5359849e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2464-0-0x0000000074FD1000-0x0000000074FD2000-memory.dmp

Filesize
4KB

Download
memory/2464-1-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2464-2-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2464-24-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-8-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-18-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing