metamorpherrat | cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94

General

Target

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
Size

78KB
MD5

ca7583847cf90a0434f961c3951d08b0
SHA1

d639286f4cc2cd8ac5c8d484519ee803f0983699
SHA256

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94
SHA512

7c102cb7ace48ba871ccb3daea3a720bba98930aa73140c2cec1ef3c76ee706c98655b73c8e22d88c058e8f7af0996f3c8e81ef78dc20157d13ae52f65ebf847
SSDEEP

1536:bCHF3JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQt1t9/0H1ow:bCHF5IhJywQj2TLo4UJuXHh1t9/s

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

Processes:

tmpE9C3.tmp.exe

pid	Process
2692	tmpE9C3.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

pid	Process
2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execvtres.exetmpE9C3.tmp.execd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE9C3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

description	pid	Process
Token: SeDebugPrivilege	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exevbc.exe

description	pid	Process	procid_target
PID 2788 wrote to memory of 2680	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	31
PID 2788 wrote to memory of 2680	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	31
PID 2788 wrote to memory of 2680	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	31
PID 2788 wrote to memory of 2680	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	31
PID 2680 wrote to memory of 2848	2680	vbc.exe	33
PID 2680 wrote to memory of 2848	2680	vbc.exe	33
PID 2680 wrote to memory of 2848	2680	vbc.exe	33
PID 2680 wrote to memory of 2848	2680	vbc.exe	33
PID 2788 wrote to memory of 2692	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	34
PID 2788 wrote to memory of 2692	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	34
PID 2788 wrote to memory of 2692	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	34
PID 2788 wrote to memory of 2692	2788	cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe	34

C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
"C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tdky0clx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB0A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEB0B.tmp

Filesize
1KB

MD5
148cf3f369f4f0e09c157c273418f1f0

SHA1
bc6d1b46155e5d48315ee15da1a3d52778af5d1f

SHA256
87173b60a57328539f3150e5f88f8e9fe5b6a3dab566cdb6aa57d5257cbbcbab

SHA512
5379d2a4dc189c929b7023fd2894f711c1c1fb3853baad93b805d2de05881b85f9eab4289d4b105d3346df9fac3aa463402d2fe78366b62c62ac2ca12a3a1829

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdky0clx.0.vb

Filesize
15KB

MD5
3f808e1a3751cabdd98a4d92d479a91a

SHA1
0f30146b0aa0d51d28a1ad945bab45934c4b0e9c

SHA256
15b34b50188c2e44f78be4fb680b3420b15a59fba020a0c57d7c2c805fa6e2fc

SHA512
b3e8d0a158fbc3123b35c0c3cff6b294469a07dc63f898bb4357f905fedc6e72e14568e461ed5e6de25e06921256160bb0d5cccdc13bec5243d8e9b9f61b390f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdky0clx.cmdline

Filesize
266B

MD5
fed1d2d74fcf9f2ebb06a01d71c08d41

SHA1
a62734bbcf101d6ef1cf5f89e2e22d95e2090445

SHA256
665dd3b88cd14c170e8f3c383819ab14c47191e7084f784be31a27fce44795de

SHA512
44736ec4ef8452c59a8606188e839c9e8df1c4dd1927a7cdc1e43dcdf32270dbe8afbebc7cb71165e4edf31db532a1f29a720c0a35e73f485b693c78410122bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe

Filesize
78KB

MD5
016ebf1a17692cf760daed1abcf88e6a

SHA1
3a4521b85ab5688b554cd5f231a5a6d18d350cef

SHA256
6356028f295bf642290634881aea11792a6f12947e43fdfab8db24b8462decb0

SHA512
66b8ad0929b1d9f799ddf3385ef684f36845d621bab62413bf73dcf888d55a1f440795bde2323dbcaba19120445606488f472f442f238dd9ec5ca79c4d96d3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB0A.tmp

Filesize
660B

MD5
667ac222c090d2fd2af9265b5f678c5b

SHA1
f07dfb75a53812e383f18407d70a1eaa0d2d3bc0

SHA256
0a3e6f5dc62da28f077e4107cbaa3d0ef407e81bc86338341a5847967db6c9bb

SHA512
b7b89c0a20db917ef16f243b0a15b2e941edd071ec47afb265e1bd4d856f9523a8db392e43caea22c8681f5b8c7693b391cc2af068fc7dd30e5e99c2beff77d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2680-8-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-18-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-0-0x00000000745A1000-0x00000000745A2000-memory.dmp

Filesize
4KB

Download
memory/2788-1-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-2-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-24-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads