metamorpherrat | 563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9d

General

Target

563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
Size

78KB
MD5

f38bc08a5b9970411bb240e1e7da49b0
SHA1

591354c4286d1c199deffc0438ffa3b26639a249
SHA256

563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9d
SHA512

3d0cda4cff3f358ae19a7c0f1fb6cc1e0d1d51aee856405350271b9a2a965739374832d3aea6f078823d7252443a923a8cc6948c7da6bf856781c11fcd970bc9
SSDEEP

1536:9Py58/pJywt04wbje37TazckwzW4UfSqRovPtoY0BQtv6k9/1i1ud:9Py58BJywQj2TLo4UJuXHhp9/15

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1044	tmpBFC6.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBFC6.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2040	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	30
PID 108 wrote to memory of 2040	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	30
PID 108 wrote to memory of 2040	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	30
PID 108 wrote to memory of 2040	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	30
PID 2040 wrote to memory of 2032	2040	vbc.exe	32
PID 2040 wrote to memory of 2032	2040	vbc.exe	32
PID 2040 wrote to memory of 2032	2040	vbc.exe	32
PID 2040 wrote to memory of 2032	2040	vbc.exe	32
PID 108 wrote to memory of 1044	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	33
PID 108 wrote to memory of 1044	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	33
PID 108 wrote to memory of 1044	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	33
PID 108 wrote to memory of 1044	108	563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe	33

C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
"C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0DF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC0E0.tmp

Filesize
1KB

MD5
b9150ef5933a109ef9fa4028e5b70db4

SHA1
afe5904aaf2bf5b96dff8e5b963dab0835981a43

SHA256
9c84fa872f19a78afc926d9bda2cbb6136cca7d8e7bd90f9fdd0d1f99eff377f

SHA512
9cf315046302dbc4035677d244216da44984fe43be5273bb70605c9839add8050002c2303055d9d58b4f4db833a65f38d1f1cb5509098f0bed9b7f42a1ae6023

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.0.vb

Filesize
14KB

MD5
8ea001ea1659e696ee3f13752f5cb686

SHA1
0c66ce3dc74df2da198e5bc8ee692e0f529384d6

SHA256
5248d8a01ed16fd51b9fb0d2d2a9126a3d25a72348a3ea19e80d53f746267019

SHA512
3c0938143a61fb24a3cf487bf3f1b95cbdee2fce8f903f93d10399f749ec4b92b3823fdb0886de8f16b109809fc02dd85ff4971d04fc0de31c620211d42fbd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.cmdline

Filesize
266B

MD5
f82519429c0ed4d753d23edef15c2240

SHA1
8d9f643e473a397e02833d08b0f0c66b70c1f9d6

SHA256
5695ae073e73ca8d35a235aca7764d6f48e8375acb6ae9ae2301a1d158c41074

SHA512
b2f1f8db58b7d39f4ec0558c76eb340a82afb83838ed971b75b9d67e2fbde2ee769785b5a1447ae9eb6b0ae4b14b94e8bca7a63f89ea80c09b5f816cb7a84fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe

Filesize
78KB

MD5
fe424c40a4f2a319011de41ba94851df

SHA1
be507ba33377fbfb0d1c4ab600f2125cb542058c

SHA256
e50bf4ab8abcf550140003dfd0864a6f99580e280790ea550cb1253575bc06a2

SHA512
91ab9209809fa3d44e0f09de00a143ad71a1adafa7e56a203c0b5fd90e300e7cb0b4ad1b006c13389070561a089853301f1886eb086f3cf528094de2bc76c380

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC0DF.tmp

Filesize
660B

MD5
46d5ca83a340da88a113d34f8b43dbd1

SHA1
e72534bf2599de6aed63f8484a4fd47f930131ff

SHA256
18af735c03fde70ec7bd241a7e60bb70de3a5832e530d252f460f7b21c79f16e

SHA512
ba527dbc1b57b3e9f33a17d52ee14f1537e7b2c13bcd8169d993c043db4393e48f727505fd283042118080fdf75f1190c556c872041e3ec01266932fdf658bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/108-0-0x0000000074481000-0x0000000074482000-memory.dmp

Filesize
4KB

Download
memory/108-1-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/108-2-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/108-24-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-8-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-18-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing