metamorpherrat | a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610

General

Target

a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
Size

78KB
MD5

3d2f979953107bd80d5a53b523e4fde0
SHA1

ddc2fb5add85c6742d37c887949755fff808a9b9
SHA256

a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610
SHA512

44663882d6e3d15e495ea1bf90eb157a50cd3e6da6611cbc57dce9a963bdf7b5367b17e6734ecd54f5b8cb8b5cd01cd8e98a00c4a51df8e5e5ce50a4e861c498
SSDEEP

1536:myV5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67F9/g1Jv:DV5jS7JywQjDgTLopLwdCFJzDF9/U

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2872	tmp9FE7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9FE7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2524	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	30
PID 3056 wrote to memory of 2524	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	30
PID 3056 wrote to memory of 2524	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	30
PID 3056 wrote to memory of 2524	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	30
PID 2524 wrote to memory of 2092	2524	vbc.exe	32
PID 2524 wrote to memory of 2092	2524	vbc.exe	32
PID 2524 wrote to memory of 2092	2524	vbc.exe	32
PID 2524 wrote to memory of 2092	2524	vbc.exe	32
PID 3056 wrote to memory of 2872	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	33
PID 3056 wrote to memory of 2872	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	33
PID 3056 wrote to memory of 2872	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	33
PID 3056 wrote to memory of 2872	3056	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	33

C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\obo5o980.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1CB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA1CC.tmp

Filesize
1KB

MD5
0d39f62f40666dee2ca2f5f3f6f7f488

SHA1
099c08e3524d09335b1f43774ea872bd1438db02

SHA256
a4b955ab87d1218ce2597d0acf31d9efac4b995486fe143714d2887a24bccdf2

SHA512
a8f6310c1f168301cbab977593127709a665a9bf24249ecb985e15e8b8c63e4034e3709cacce8824057b12893297756a39690c8add4dfd1287b2c05e2770f233

Download Submit
C:\Users\Admin\AppData\Local\Temp\obo5o980.0.vb

Filesize
14KB

MD5
e1356463768111aa84f214e5567f9f4d

SHA1
9b46a19c98a668ce1f0f6533412525ffa55468f4

SHA256
ddec2eb164041fd8ab24a9a4ae2449e87dfd0cf4b30a4454046f19f15affe0c6

SHA512
2542f16e20a8710649956ce50f792f96a32a5909eda6b217afa6a3c7a0a0936778956b2c9bd29573515fea36c0b703674a0b012cf3d3e104aadba1fe03c0b587

Download Submit
C:\Users\Admin\AppData\Local\Temp\obo5o980.cmdline

Filesize
266B

MD5
ac306b8e0483096ed9a543adf45f20e4

SHA1
4e39fb8023b26b9f773822cdc37f3c8fc5d9954c

SHA256
71b3937c756ddedf78b1f7bcc5d08ae01295a8109ed7744548aef79d95defe3f

SHA512
f6bc9deb1c93781bc6084193ddb10f9fc789f506ed939808ed0c6a2191dc56b6c7a0d64edf6b02cdf80edbfc5fb0f1cf0af52204c1460b92e732a45f29eb7cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe

Filesize
78KB

MD5
f0b89f060777f3d334d4ce1cce817d6e

SHA1
20d8e3891bc94fcf109a2109e707c09b9bc9cf25

SHA256
e73609ec5dc6696785e3d3f7a4295b5777c9f48110c1e8c63898f6cfda6498fc

SHA512
f16940869efa6a2dca10b22425884620b2bbf8f0a733cdea23a231c9183d30c6b4eeafe29194f327a5af772924dffa22faab3f6e18f2e0d823b0a5ea0be776a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA1CB.tmp

Filesize
660B

MD5
e099e288a2656e9de9630dd4a1ee03e5

SHA1
c15b5d7975c4213771a76e980f31b421b93fcd69

SHA256
37c8190edfdac646250af0a7b226099c8a61320d79a0f83decc6277d519fdcf6

SHA512
4e9556ba0753462df4f53ae25b6acbe04a88456b96de5f12bdcdf4f146c41c6be2ca39f4a98ee7cad168ac9597a5608424e859b480283a0e0a187cc6f1618948

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2524-8-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-18-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-0-0x0000000074861000-0x0000000074862000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-2-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-24-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing