metamorpherrat | f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377

General

Target

f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe
Size

78KB
MD5

a4d8dfa944c2bcea6717f71dc5da13c0
SHA1

2cbb021cc24b464aec32d60053651bc0d8141627
SHA256

f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377
SHA512

d14bb1a23e31ee6298c7746e5e3d77ad6a56bf9123c9f7dc67a14d13e3bf59cf8392fd48d4ed5eba688efc4437f4fac646188c465b9e55dbd6545b0f9e80ec41
SSDEEP

1536:RPCHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtM9/w1o3:RPCHFoI3DJywQjDgTLopLwdCFJzM9/P

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2872	tmpDBBF.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe
2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDBBF.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1552	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe	31
PID 2644 wrote to memory of 1552	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe	31
PID 2644 wrote to memory of 1552	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe	31
PID 2644 wrote to memory of 1552	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe	31
PID 1552 wrote to memory of 2360	1552	vbc.exe	33
PID 1552 wrote to memory of 2360	1552	vbc.exe	33
PID 1552 wrote to memory of 2360	1552	vbc.exe	33
PID 1552 wrote to memory of 2360	1552	vbc.exe	33
PID 2644 wrote to memory of 2872	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe	34
PID 2644 wrote to memory of 2872	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe	34
PID 2644 wrote to memory of 2872	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe	34
PID 2644 wrote to memory of 2872	2644	f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe	34

C:\Users\Admin\AppData\Local\Temp\f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe
"C:\Users\Admin\AppData\Local\Temp\f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\433wgezc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC89.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- C:\Users\Admin\AppData\Local\Temp\tmpDBBF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDBBF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f13339a7bd320b253086d507c6bb7e7c5bdb7884d1fb4623a72d40f1d13f0377N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\433wgezc.0.vb

Filesize
15KB

MD5
514f3d4774d3ef273b60c1a5dea8a242

SHA1
23bff74f0a25b2cd23a087a4c6f8dbe0218bdd9e

SHA256
c51c9319b9b90adbc26a3179c66c5381f18f1fce1f24dd69852a131a2015c4de

SHA512
6b63c3639d23e3bcc90c724118f0f55536ed78b8ad29e4041e406f433d5e147b8c8d80fd67b6d43c8233ea512271e495508d6c5ceffeaf4fa26b51566a4d7407

Download Submit
C:\Users\Admin\AppData\Local\Temp\433wgezc.cmdline

Filesize
266B

MD5
e30ea445061d85ddafdb5145fcd29efd

SHA1
bf1eb90ae7b50efcdc704a0f6a65ba70525bc136

SHA256
991958c766c0d5d86972f0beff9fe1d12cdc8185a764afdcb037d86006f14056

SHA512
da368a77f0207660590b0b5280524059dd96afe73d975c784b25636df0ce276fe9786697f986bf337e07cc70f60ce507b5290514c08e0396d6c0e53647e24b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC8A.tmp

Filesize
1KB

MD5
d061d0f2c7771ce8090f4a6223583afd

SHA1
a18c95d74a63f93404dcedaf595867d46f1bd24c

SHA256
9c7a5aee0dfa1a343941751c94398842701fbd2822ea49290ddead5f08090bcb

SHA512
3dd9d7184b7cf4ddcdeaf6c05f99491ec27cf04fd844758f3f8c3228d164c40df966bd41b7492b98dab4b5a7d798fb12053aa25c7ec39a4f0e770c11ace1bc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBBF.tmp.exe

Filesize
78KB

MD5
ca6a5c003914efb0949b91560b0d0264

SHA1
1d77402284d2bd9b3c2d6c4a075134b713a9d77c

SHA256
2d09a2fc378e9398f5d1719ff6e65a488ac6e95b1312bc7ac70e335f8ac2904a

SHA512
e67dedfec03a59e60eec5a47aeb3c0554b4ad16511009b4e1b8d982f4765e31dacfa2bef293dc9525d60dd534f79b6855b7fc5bb4c5a817727fb9c6e01c2273f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDC89.tmp

Filesize
660B

MD5
c42fc20bab882f4e24fe7569265ecf33

SHA1
6f476af0b168d650be02c6fbd367e7d782f5df03

SHA256
594bcf122c8ec824fc27c3d8c2f708e7148f158632b71445e3fa36f7ba866555

SHA512
db23b425f7bf7c37781e74c29c774d40513edaa813b5c5e9e05678162b3fc3344941e0b0bf55cfbd61c2bad5e488f9c040895d1fb0616c46ac93ab8317a62c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1552-8-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-18-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-0-0x0000000074CC1000-0x0000000074CC2000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-2-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-24-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing