metamorpherrat | a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717

General

Target

a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
Size

78KB
MD5

400bf1cd79fee36cfebaf5f929edc919
SHA1

632001433f9197c1b842ecd2c6fcbbf623c4ccd2
SHA256

a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717
SHA512

555961917b0a74a58c7e7247dacff7f064d5b428a354a466abd2c79a4c31be5e10f74c7a65279cfc6195905bbffc41df4d11084325f350a7f9debabccae03005
SSDEEP

1536:SWtHFo6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtS9/Qh1AS:SWtHFoOIhJywQj2TLo4UJuXHhS9/o

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2124	tmpC9D4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC9D4.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 832	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	30
PID 2044 wrote to memory of 832	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	30
PID 2044 wrote to memory of 832	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	30
PID 2044 wrote to memory of 832	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	30
PID 832 wrote to memory of 2836	832	vbc.exe	32
PID 832 wrote to memory of 2836	832	vbc.exe	32
PID 832 wrote to memory of 2836	832	vbc.exe	32
PID 832 wrote to memory of 2836	832	vbc.exe	32
PID 2044 wrote to memory of 2124	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	33
PID 2044 wrote to memory of 2124	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	33
PID 2044 wrote to memory of 2124	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	33
PID 2044 wrote to memory of 2124	2044	a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe	33

C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
"C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgqtzoqm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC92.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCC93.tmp

Filesize
1KB

MD5
fc252449eed04522ae6d45d02b4b6dfb

SHA1
6c1e4bd0b8a35aed58744bd04f64654a334c5ea3

SHA256
20918fd1a554cbbd4f0be9d9032008b96500358330c55b7158a8d8a106cf1b8e

SHA512
38f1c3b4e9293a11cf0017d03467e7959e25a06ffd445e8399fe2bd5d8498f449b1c9b9255c02b2ef5e9fd25ca1e7fe2371e462834de65cadbf7d5fee56868e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe

Filesize
78KB

MD5
92cb6e333b6de587a634b62c578caffb

SHA1
8209c41555c27b93f473c6cec0d49fc0052ac347

SHA256
db6a07d969c13575f20e1b86b7d4830839933694dfe2061dee32ab55175ac82c

SHA512
7000829f6caa887078543bd65c4b7ab7e01c5b054abee09efb75e58fff9db878d6b7a142aa23e482475f18b20e3d59238c54111078fbdef704af9798a9be03aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCC92.tmp

Filesize
660B

MD5
a82aba3387c64a0534fab917507ad27b

SHA1
9eb37512dadfbc29c6d9b54c581ff71be4ba01a7

SHA256
a6b6dd9184b620ee61d9b0052057f01f3b27f73c4ae7af09968406162905ed8f

SHA512
20cafcb5cbdb9114f2c0342cf32bc6417a7175925de99a7e7fad2c8c46c01cac82726721bcd3e2a4b513efc249c35d4fd6d4a852d328be88176c037db0d6ace7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgqtzoqm.0.vb

Filesize
15KB

MD5
25e8765c450627d1d61562a2e7ee5b7f

SHA1
fd79f9ad394d5f5a6e100672110fbbe3f47b2015

SHA256
215ceded248be38b47964dc2e62f91f3e54d798a75b6d613deeb74ecde9703c8

SHA512
13a12e2066a31513587a87e3be780210b977d7a27d7a63d960582202590bbfe90e1edec26d4aee1d82831adea3452f887dbd4cf0334f65a1204de9244293a651

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgqtzoqm.cmdline

Filesize
266B

MD5
cae5baf3185884ada003ad519e54241f

SHA1
a949f72a347ff135209604a5eb8ecb3839357db6

SHA256
b525065aaca49859a7adf0a21347ea2a496a099fb0b4b88e04bcd2188d1a8c53

SHA512
d5e544c1a55c4927e4c39cb6fc4195e6d59e2acfaa653b7b3947ec0f99c0c787bea772f577a01511f7031a8d89fc966c1c617f1ad4c8c1a777de306427077ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/832-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/832-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2044-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing