metamorpherrat | 4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41

General

Target

4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
Size

78KB
MD5

1b1c5df4bc7bd45362a00185c12eba50
SHA1

57072f26a09e7fd3111b6789cbe7fd483ab77e1d
SHA256

4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41
SHA512

baa086046b94b6e1ec5e33238378c103b47ecbc4123a9abfd2c725cf88be9d37fe02a930215cd8dc89277c01107fd4f7b40de6f617a1748b4d1d211a59f27871
SSDEEP

1536:gHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQte9/F1Br:gHYI3DJywQjDgTLopLwdCFJze9/V

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2356	tmpBB82.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB82.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2916	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	30
PID 2316 wrote to memory of 2916	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	30
PID 2316 wrote to memory of 2916	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	30
PID 2316 wrote to memory of 2916	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	30
PID 2916 wrote to memory of 2464	2916	vbc.exe	32
PID 2916 wrote to memory of 2464	2916	vbc.exe	32
PID 2916 wrote to memory of 2464	2916	vbc.exe	32
PID 2916 wrote to memory of 2464	2916	vbc.exe	32
PID 2316 wrote to memory of 2356	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	33
PID 2316 wrote to memory of 2356	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	33
PID 2316 wrote to memory of 2356	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	33
PID 2316 wrote to memory of 2356	2316	4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe	33

C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
"C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wrycgsl3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC4E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC4D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
- C:\Users\Admin\AppData\Local\Temp\tmpBB82.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBB82.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBC4E.tmp

Filesize
1KB

MD5
a3c8eb4db259b9dbf043cb430d18d9af

SHA1
6af0ff9833c1818cf50c7141512ae1eece070789

SHA256
ad94ce8fd539c8afed418803495ca10c23a0d5562ea99ccf9086bdaea136e500

SHA512
9dec60ae8421a9c5e758e1d31ce9f9a9309e7111fdb81a32dcad37df774813d6935b61d07447f5279ec24b00d86c888f6db4b9d56ceb54bdf123b24fa1eb44f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB82.tmp.exe

Filesize
78KB

MD5
4023865fcf6090d776e9dda2e3891215

SHA1
16d8c3b505214f718838e58418c8fb1f86d8d975

SHA256
80d2cbc100929a89fa963359c0cd116f997dd8a312429f2ee8df1d839cbe81c4

SHA512
f4b598789ae4bfa17e8a44c37098cdb8d7ec9ad4fb56684968c99f8595beeb922bdf011fd8fcf482e01948f8b1234ca139ed9776742c63bc67d1adf89b14c5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC4D.tmp

Filesize
660B

MD5
a7b5c6a9b3a136a569ce108a5d29d66b

SHA1
1cd127dab0ce68186d600f4bb53df9283fd6e918

SHA256
b553109a9a89163d59f3b9277d38eb9c19f1ebc0e7a82ac9fb82d98da6edb59d

SHA512
7dc221655ffff9db869ac574f00155af681ce11176c667a3ed2e4f93ea4694bd2feddbb732b2b6f1eaaecee821f71b2a730a9cc4fa469982391933dbe3919c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrycgsl3.0.vb

Filesize
15KB

MD5
be22d152c5bddb0ea4420c0e3113c09b

SHA1
9e72bac243685597d3249b84c63d3571f47b1861

SHA256
a965e9b517767f1d51746fdeb0ed7904f57a79da3960d0a950fba46d17482c29

SHA512
8f084fd4a6bfaff93b0ee6b1aac4454db241495347a812e35405e9f1fc010581d4f2d8ee0a4219e1a7da32334c9a07a804561a7a934793bf0238db762bad3e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrycgsl3.cmdline

Filesize
266B

MD5
268844d055f8b0f883ca85c2131e4f8b

SHA1
6872dbe31540b6ad085ee9e7c5ce3836a1bfcf64

SHA256
97f9788d33d2eeab056270031498f3b7eba2091449aaceee2d9e68dfb8c1e4e4

SHA512
365c18e8595fd9a199315fa6ce2c660de98ab5aba11ca40996265a38affbcf42e17cea9c1aefea7e6dc1d969a5862e0fa6ac39b4e9d2cc76fb5cf0a86e812457

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2316-0-0x0000000074681000-0x0000000074682000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-2-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-24-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-8-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-18-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing