metamorpherrat | 2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364c

General

Target

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
Size

78KB
MD5

00152c998c9fcf9b697738c9564d2730
SHA1

65ed9cd87387a3eb6ab1da9ab7df5e824b6dd0b0
SHA256

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364c
SHA512

8e09ca9c1578e49568407da87ff70fb64dd5adf454bf0573ecc8ef6a7c8442969730ce2f8df0bf27ccef49ccb3192271d4f5eecc9d216bfddd8833323d30541d
SSDEEP

1536:pCHFo6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtD9/Te1nI:pCHFoOIhJywQj2TLo4UJuXHhD9/Tz

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpE5BD.tmp.exe

pid process

2908 tmpE5BD.tmp.exe

pid	process
2908	tmpE5BD.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe

pid	process
2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exevbc.execvtres.exetmpE5BD.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE5BD.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe

description pid process

Token: SeDebugPrivilege 2248 2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe

description	pid	process
Token: SeDebugPrivilege	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exevbc.exe

description	pid	process	target process
PID 2248 wrote to memory of 2960	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	vbc.exe
PID 2248 wrote to memory of 2960	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	vbc.exe
PID 2248 wrote to memory of 2960	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	vbc.exe
PID 2248 wrote to memory of 2960	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	vbc.exe
PID 2960 wrote to memory of 2324	2960	vbc.exe	cvtres.exe
PID 2960 wrote to memory of 2324	2960	vbc.exe	cvtres.exe
PID 2960 wrote to memory of 2324	2960	vbc.exe	cvtres.exe
PID 2960 wrote to memory of 2324	2960	vbc.exe	cvtres.exe
PID 2248 wrote to memory of 2908	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	tmpE5BD.tmp.exe
PID 2248 wrote to memory of 2908	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	tmpE5BD.tmp.exe
PID 2248 wrote to memory of 2908	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	tmpE5BD.tmp.exe
PID 2248 wrote to memory of 2908	2248	2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe	tmpE5BD.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
"C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ox63soqy.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8E8.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2324

C:\Users\Admin\AppData\Local\Temp\tmpE5BD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE5BD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE8F9.tmp

Filesize
1KB

MD5
ec047d81b55191f8f218acc2efa514cc

SHA1
48a26861402d9798c2b92e5d9ef713d672b81fc6

SHA256
9af9ae601350260f8359a47833f78314b89e8d9ffde0e91523d54300ecbfd9ef

SHA512
a49bb592665434fcd78a6b921d22bc7ec8302cb251345cc78a4679d3e828f82d44fa749e652fed25561aa65838858f072058016f44882ab0abf0da87fb3c7720

Download Submit
C:\Users\Admin\AppData\Local\Temp\ox63soqy.0.vb

Filesize
15KB

MD5
f4955e2208938524a80fac33ca62031a

SHA1
2575299bbff272c2802de4e94a7c19cc840009d0

SHA256
e193f578e3309a754f3723b4d6a48e5fdbd6bc3547e77cddc13579304a364aad

SHA512
b94f16ad372a8754149b5634f5b42d5d6363a9d11077bd06b737f88fabf9225b94fe2fa703e506876cea49a03cfc9ddb5fb982ada728c6cc1e61c40b34c0b77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ox63soqy.cmdline

Filesize
266B

MD5
969da103e638d5626d8664b317df9659

SHA1
d9a91747ca2933f983a75127c27c970ea1bf08be

SHA256
1da72a11108ff2894ccee8ab6f41943750de11c67ea7df42da6c0922fee6e108

SHA512
427c60acc1da6b3fdd3714ee8f01016ce83456fc5ee7d43178ee328c463e96a827febd72db37fcf5ea0c96dc248d8d8e644be976a6f7c740a78ac395707f3498

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE5BD.tmp.exe

Filesize
78KB

MD5
911563d44aea2073987123635de5cf4d

SHA1
a80ec98a0ca49358731eda3c2ee933a000f67aae

SHA256
3247fd49edb3f5c521abd9a18f0946341548bda216cd53a58ea5685609df00cb

SHA512
61d65a0a0c0f213c1fb1e30ff52043561bd3398573ea9a0e5065b77ce7faa1110961a0cea52b44b345b4f54e4bf94cb9759905c9764ec83858d688308c94c685

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE8E8.tmp

Filesize
660B

MD5
a41174d4b49b31c36ba1cf23317fa231

SHA1
e74f853e35a7ddb2e37131df5a31de1d32a5984f

SHA256
43cc3234ae80261290f8394b3751887403ef502b0b11aa5271591e4bed180c7a

SHA512
8ed21caba9bd88a899605e51d8f8d0360dcc53bb5e3cb4f084a2ce6a6c61c77688457728c97b15fe9f8786e5022d25ffdfe1dce23099aab94d9a0e3ce793327b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2248-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2248-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2248-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2960-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2960-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads