metamorpherrat | 7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37

General

Target

7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
Size

78KB
MD5

8fc1cbf2ecf911fcdaa93d8dea69d2e6
SHA1

6eff15da66f4bb7741547e8985bf963add381738
SHA256

7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37
SHA512

dd138c2a0a4860477664bdb83389b0693115cc080234f0b46c977c7450d370033618c19c2fc6d290545f2a6322f57a5661651f5c48e9761cfe123b22b3731661
SSDEEP

1536:DHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtpa9/x1cS:DHFoI3DJywQjDgTLopLwdCFJzpa9//

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2896	tmp5995.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5995.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3064	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	30
PID 2772 wrote to memory of 3064	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	30
PID 2772 wrote to memory of 3064	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	30
PID 2772 wrote to memory of 3064	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	30
PID 3064 wrote to memory of 2364	3064	vbc.exe	32
PID 3064 wrote to memory of 2364	3064	vbc.exe	32
PID 3064 wrote to memory of 2364	3064	vbc.exe	32
PID 3064 wrote to memory of 2364	3064	vbc.exe	32
PID 2772 wrote to memory of 2896	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	33
PID 2772 wrote to memory of 2896	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	33
PID 2772 wrote to memory of 2896	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	33
PID 2772 wrote to memory of 2896	2772	7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe	33

C:\Users\Admin\AppData\Local\Temp\7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
"C:\Users\Admin\AppData\Local\Temp\7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5zijjgtw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C15.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\tmp5995.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5995.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7c2cd2b297c57bd08c66a6df860140d78f9c974c36eac8fc134c34a155089b37.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5zijjgtw.0.vb

Filesize
15KB

MD5
93c7995ffe84dc2be508ff03bc52e767

SHA1
f3846a7c93f64b11fe85c4375ce936be0f100192

SHA256
a9215bd00b3e94b10ee872129e6a7396025e6ba39a9be37fcc1ca4b1b96f69e4

SHA512
90e09aa1b7cb4f665713ecb44dd250a6543306ecc54de9944d502d1f67c6ba530bf8429fb5a76c578962336e7c2171655bce49ad16252f899288faf36aeef015

Download Submit
C:\Users\Admin\AppData\Local\Temp\5zijjgtw.cmdline

Filesize
266B

MD5
3977a956de5f977a639e3719ff99552e

SHA1
d93807c509ca0dea8d41bae6f37e664e0d261a7a

SHA256
4959c2c97bac0b3cf5c525a17ffef84551635175325ccae78dc7abb0ce476142

SHA512
2ecf13143c6fc1fe0d6f63b57a2509463c7ed64e8e5ee4d245ba38892c387c7c8c5ab74eacb45881154eee11ec27e424443b8f327ac468165ac0b3c32045cf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C16.tmp

Filesize
1KB

MD5
68d214cce55d39e922a23ab0e33dba6e

SHA1
6939db95f01838aa405ccdbd258c78e5ab1d4a83

SHA256
341e7a117e3f469a627b223a1af333757a63a96cbdedfc41057b4863cbc41b07

SHA512
448e971ecc8114ffc5e48013fe3aa3d1386d3ed2102a1501a517fb2ce4260e6ec7bff038ea467b0e36f83c52905ef5a0dd901648603cc433f092f8bcbee4dcd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5995.tmp.exe

Filesize
78KB

MD5
c27ba0c060cb7e5e60dbe8dd0ad857b7

SHA1
6cc9ab481fe9645bb04e65ba16213b233185f23e

SHA256
ad870386e85de05bdb06ef0375d1703a32f52ac449d319bf11094a6dc121d0a3

SHA512
9cee97c6476191a655285feaafb45720df4e0409d62a3935350d4f81ae33b8e6c89a0571509f3d061c37ea907f931ffd76596cf996ae1ce58519ed64baaeb6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5C15.tmp

Filesize
660B

MD5
28e4269d29404e6e34f438acbc13b4ed

SHA1
11b16b26f849bfe0ef29900177c50a1553770e1d

SHA256
e5f0944c70b087a1babdb01c76ae1b78ab8bda02a0ae823fc0d9e0d7df8a9ab6

SHA512
34e0fa7a26d4d34a3178c1b3c267a354f24e2bf2eaaff59a9ea93075e80ed5a5b8b784905265c6f927f2aa73328b0879093b25eb4d14926ec0decb87b74f02ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2772-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2772-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2772-24-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-8-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-18-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing