metamorpherrat | a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673

General

Target

a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
Size

78KB
MD5

b384eafb7f17622515730a4e3caf1ed0
SHA1

a4924fbff76142e52e4942d7fc902d7bcf3fb404
SHA256

a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673
SHA512

fb6a56b2960c9c17c0f03f619270ac57b6f32bce688f346fcf2557ce00b761e98f8560ac54554dcf30df491491a454ceb2c1f7268743fbd949b3d8f5eec88393
SSDEEP

1536:/CHF3JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQte49/f1gB:/CHF5IhJywQj2TLo4UJuXHhe49/W

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2992	tmp80C4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp80C4.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2140	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	30
PID 2800 wrote to memory of 2140	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	30
PID 2800 wrote to memory of 2140	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	30
PID 2800 wrote to memory of 2140	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	30
PID 2140 wrote to memory of 2864	2140	vbc.exe	32
PID 2140 wrote to memory of 2864	2140	vbc.exe	32
PID 2140 wrote to memory of 2864	2140	vbc.exe	32
PID 2140 wrote to memory of 2864	2140	vbc.exe	32
PID 2800 wrote to memory of 2992	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	33
PID 2800 wrote to memory of 2992	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	33
PID 2800 wrote to memory of 2992	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	33
PID 2800 wrote to memory of 2992	2800	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	33

C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ugvgxjl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8190.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ugvgxjl.0.vb

Filesize
15KB

MD5
80e3ab14f3065d88eabb1d8368392b90

SHA1
b977ca479c82b025336fbedf250cdfe35d3fbd9c

SHA256
13ea8420467132e0d4d6159aff69403fc9afb2658b426821726ee4e9a5a0bcbf

SHA512
e5ddc5a0549aa1cc06a1760e6ac727a35b3f7fc1635803c2668d337c51fe70faad3f174a3211b1c85a7e79600d5732dd5316c36e9356768aa0ab79de637a7530

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ugvgxjl.cmdline

Filesize
266B

MD5
619eb01b747055ebfa0127853e776ee3

SHA1
30040eec3ee6d9cf7d0639754ff1f73570aa869a

SHA256
165b5ed484380d235f18c1bdced61e8b22724a7cbdb9eee3928ecc83353be001

SHA512
5524d1ec2bc474d98607fd0fabe51dad7a00d5af866c7caad3c9ff933a1523d5279dce520f098d24851d39bc1a7ba498bbce4a63ce911a0cc1fe4c8b01fafbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8190.tmp

Filesize
1KB

MD5
71e4268e4e936cc52c1af5bcda153af0

SHA1
cc3c03f56d9da11edf3b58454e320d682e4a9cbc

SHA256
03e4e62d53f872131e604b2c82cb4a1053c942a5ea5dad9af98af0f47c4b2acb

SHA512
ebdbeb4cd49f12ce012223ac8b0b4d671ecd7118658b18083ed011336f2100108651999ac979bf99f87534714171e66eab95ae52a015701f30c66214e9e4b8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe

Filesize
78KB

MD5
e6e64a6fef178a631060dd90698e4d2a

SHA1
d7dc23bf8f5acfa27df6bf47fbd5fe7d30dc05fc

SHA256
791de2d40d422f2260a9216233b0e73c6ce8edbf6ea730ea8d1e03852da5af22

SHA512
ff14bef7a227f2f3deedfcbaca72637782b31d0602ccb8cd96d5d10c6cebda12cc7745dc4a28f8e8c62313d48fddba36dbfd746cccfd7ab5eb7acfddefcf6202

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp

Filesize
660B

MD5
59dd9afb08711b29a1b2204376cfc5d2

SHA1
58682ac1eb10a5d26a34c3d8ea8f2c0f303c8360

SHA256
b309f408f2102200ef30723525145f51ec2825f2a73e24e2b37f96d249766ef5

SHA512
c8c0295fe1b614b7a6337a7ad014ef517466951b1aba5a841930c2c1afb37d4a8305ae8486f1fcbad7c90b3b78ced94efb14e87596e27c355f20b4e76df34a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2140-9-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-18-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-0-0x00000000745F1000-0x00000000745F2000-memory.dmp

Filesize
4KB

Download
memory/2800-1-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-2-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-24-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing