metamorpherrat | 1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f

General

Target

1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe
Size

78KB
MD5

a5e919be2b6ebbb8f6fb143298c3c141
SHA1

d64fbe58256e3c8e61231008f228d1ccce0cdc89
SHA256

1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f
SHA512

e38f837783d0bd8f00a0e01af25c50b5e3afd15bb7391a05f4b21138fa080446776fb8d971d8b3632c6568559a435aafb5e13f32614a2c634b676c4138d81df8
SSDEEP

1536:iWtHFo6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtRr9/x1Pu:iWtHFoOIhJywQj2TLo4UJuXHhRr9/K

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2100	tmpBB15.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe
2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB15.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2164	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe	30
PID 2512 wrote to memory of 2164	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe	30
PID 2512 wrote to memory of 2164	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe	30
PID 2512 wrote to memory of 2164	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe	30
PID 2164 wrote to memory of 2568	2164	vbc.exe	32
PID 2164 wrote to memory of 2568	2164	vbc.exe	32
PID 2164 wrote to memory of 2568	2164	vbc.exe	32
PID 2164 wrote to memory of 2568	2164	vbc.exe	32
PID 2512 wrote to memory of 2100	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe	33
PID 2512 wrote to memory of 2100	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe	33
PID 2512 wrote to memory of 2100	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe	33
PID 2512 wrote to memory of 2100	2512	1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe	33

C:\Users\Admin\AppData\Local\Temp\1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe
"C:\Users\Admin\AppData\Local\Temp\1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7mg6aqe3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC2E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\tmpBB15.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBB15.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1e1c24f07838641dc4dbf5be3897fa4ecda27d3bd9bd7db32eb98af15a96790f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7mg6aqe3.0.vb

Filesize
15KB

MD5
dd7c931ffb53fb0bc09d95fcc005737c

SHA1
f3843387cf57c6f10df77ddbf79ffe3fffabd965

SHA256
8ed1d28b3b49b12b3d7f0805c2caf1c2995820d241cd9005cf42c55b08977956

SHA512
f60dc347031cf3bf7196119a6b39cafce512d52be8998c4e9f6547f0ff65ee3db7a24ab8319a88d2f39d59955ab8a28f9aa0b0234f71ed91ff38461c4a236523

Download Submit
C:\Users\Admin\AppData\Local\Temp\7mg6aqe3.cmdline

Filesize
266B

MD5
3bfc6a1b2e8fea660ba3243134b91383

SHA1
fe9ad599a994077ab86513dc85944ffc120535a1

SHA256
a447e2ca6c80c2ce19c2dd4ed451366cffdb9a92eab8ec58c0dbeeb283398fac

SHA512
43f42ee1f35a98c134bd1d7832076c977bad2362e93784dcd72b7b91ea0b5e6315bf3cb2991b65a4b58494a393f6668912af6e41c1a6ffdc60e2bdc41b55a999

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp

Filesize
1KB

MD5
b2a4fb4f389ab0b4fcef3c1854a8ced6

SHA1
b12a3597bbf489f4b49d5ccbfa6a2b8297c77900

SHA256
54ccfcdf564b37b16dc8482202d1ce223dcdda869f2b9eb4d44330c9a798e05e

SHA512
928f03ac3f7740cd35ee40b957e6a3cff0705665d026b1556bf0ef8f898c68c6914b4f90a1a2b465fdedee6ad47cca5c265dfe85ee6d1b04e572d5e6d4646443

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB15.tmp.exe

Filesize
78KB

MD5
75cb575e506ce4e6ef473a034325faa3

SHA1
cfb9d9e01c0d8a154058f7995a9d0757dab6a34b

SHA256
234b158def6c4727117c588d51141a9175a20b9798801450c91cf15bed181c14

SHA512
8f0fd649c9a39f8612d31e834ad1a28775cdf061a319b8e0b42dcb64a8064cefc740cac6ea79bc31a152f41276e1d19ca214e11fd9f47aa0b2d55204360ec55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC2E.tmp

Filesize
660B

MD5
07530c7b67251efb3f66fb2b6f72e037

SHA1
949d307619f71f1171f90cef064c92315169a562

SHA256
c8bb3ddb23a1e51c073c7187d07c738ebd9d56c432376653a9640a33778eeb15

SHA512
2540ea30db95652812b082746abf91f41a2b29da1d34b1b75e11c70d401f20e1b121494ae54d21530938b3056274ad7153c18a121ab77b9ab4d5103a2bb03c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2164-8-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2164-18-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-0-0x0000000073E01000-0x0000000073E02000-memory.dmp

Filesize
4KB

Download
memory/2512-1-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-2-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-24-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing