metamorpherrat | a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673

General

Target

a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
Size

78KB
MD5

b384eafb7f17622515730a4e3caf1ed0
SHA1

a4924fbff76142e52e4942d7fc902d7bcf3fb404
SHA256

a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673
SHA512

fb6a56b2960c9c17c0f03f619270ac57b6f32bce688f346fcf2557ce00b761e98f8560ac54554dcf30df491491a454ceb2c1f7268743fbd949b3d8f5eec88393
SSDEEP

1536:/CHF3JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQte49/f1gB:/CHF5IhJywQj2TLo4UJuXHhe49/W

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2812	tmpB145.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB145.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1340	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	30
PID 2088 wrote to memory of 1340	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	30
PID 2088 wrote to memory of 1340	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	30
PID 2088 wrote to memory of 1340	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	30
PID 1340 wrote to memory of 1372	1340	vbc.exe	32
PID 1340 wrote to memory of 1372	1340	vbc.exe	32
PID 1340 wrote to memory of 1372	1340	vbc.exe	32
PID 1340 wrote to memory of 1372	1340	vbc.exe	32
PID 2088 wrote to memory of 2812	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	33
PID 2088 wrote to memory of 2812	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	33
PID 2088 wrote to memory of 2812	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	33
PID 2088 wrote to memory of 2812	2088	a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe	33

C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ultspese.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB202.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB201.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB202.tmp

Filesize
1KB

MD5
f07d40af29083a24ebfe9aa3034fdc0e

SHA1
fdf6cb78286693a31c8aabf67d6fde353d13f543

SHA256
d03c18090e37b57f5f72795a52cb1c568c95e38b5a0240d465c95f8e82e6a891

SHA512
e8ad2fa323cc7feaa36ca3938cba5b05862af7352d186c55981649c3160640a6c9804b5e8a50ab69e57877a2f4d1aa8343b84febbd03f5ddef073739ba49a1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe

Filesize
78KB

MD5
4cca22f7aad445be9ff194b6a48048a1

SHA1
68d51678ec8c598cdf1270e93e1bf25a0b3713ba

SHA256
2d14a333272c57dbd37700589f098558bd3948c298982363784c0b5fc23e202d

SHA512
171aa76fc74d552a4e327455804e4f4228fb813b803abdef81826d1523d860b8af5decff55c6b1c82f5c21827d47d9901195ca28b80966f46fc162e18183b808

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultspese.0.vb

Filesize
15KB

MD5
d8e19ec7e82f2695b16ce9868a5a592a

SHA1
bbc75ea93b86287c3e0ae38cbdf64c21ffec951d

SHA256
49f5e492893d4cd17785113a402bd29c74971b25d09ff1206e9b9dc9facbe02b

SHA512
f1262a7c1603b6e316f8169541be652c009e2f1d69200faa8e46c76b305064cad579aa258e463a9ee06dea95741bfdf1afd403f36cc7aedd37b2b993d1481b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultspese.cmdline

Filesize
266B

MD5
c967a2f88cea7724af0599d7bcb91198

SHA1
103466b2655afa8b9f3bb78439dfae00a5f5f2c5

SHA256
c033d79f00b24da60ccc7dc57dcaf047ecc120b3bf4079ee36e93651fc681726

SHA512
13fd8475c48e6e84e0cda4a57135f616e0e6dd7d8df715287eaac05e5186396582840ff8ba91e3043554863f6ea1fc93af5b53ca2f86ee1e58ce0989608fc7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB201.tmp

Filesize
660B

MD5
a78503eba1ec19102be967f8b5c0ebd5

SHA1
388ed713f5e4d05ecd7e9838968352c8c5ffb782

SHA256
708dea019b33986cf352a5cf7b48cad72d7f6e58793cac8392beaee78d1266dc

SHA512
e9015a942638a8c85d40f3466a46c6a7a5f260add78565e78151373c1e8f0ec4ca0200b29f988ef8cbd81a9bf972449a642062ed83ed2b48ec76a754b6de97e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/1340-18-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1340-8-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2088-0-0x0000000074031000-0x0000000074032000-memory.dmp

Filesize
4KB

Download
memory/2088-1-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2088-2-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2088-24-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing