metamorpherrat | 03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0

General

Target

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
Size

78KB
MD5

3c45405aa914a6f3b5fc9b7ca48701a0
SHA1

375daa058d89e5fcf72f55bc2f05b4e267dabebe
SHA256

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0
SHA512

83eea3a03004ebf292859ca86729767b966aec648f61b12031a772a76f2fb403fa47f988ff2a1d1480a174f39d93417b703a0a22bc57f606a1aef43b14c93307
SSDEEP

1536:Qy5xpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6z9/m1ox:Qy5HJywQjDgTLopLwdCFJz49/X

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpF1CE.tmp.exe

pid process

2940 tmpF1CE.tmp.exe

pid	process
2940	tmpF1CE.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe

pid	process
2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exevbc.execvtres.exetmpF1CE.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF1CE.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe

description pid process

Token: SeDebugPrivilege 2336 03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe

description	pid	process
Token: SeDebugPrivilege	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exevbc.exe

description	pid	process	target process
PID 2336 wrote to memory of 2608	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	vbc.exe
PID 2336 wrote to memory of 2608	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	vbc.exe
PID 2336 wrote to memory of 2608	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	vbc.exe
PID 2336 wrote to memory of 2608	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	vbc.exe
PID 2608 wrote to memory of 2236	2608	vbc.exe	cvtres.exe
PID 2608 wrote to memory of 2236	2608	vbc.exe	cvtres.exe
PID 2608 wrote to memory of 2236	2608	vbc.exe	cvtres.exe
PID 2608 wrote to memory of 2236	2608	vbc.exe	cvtres.exe
PID 2336 wrote to memory of 2940	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	tmpF1CE.tmp.exe
PID 2336 wrote to memory of 2940	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	tmpF1CE.tmp.exe
PID 2336 wrote to memory of 2940	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	tmpF1CE.tmp.exe
PID 2336 wrote to memory of 2940	2336	03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe	tmpF1CE.tmp.exe

C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
"C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\psew8hc_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF567.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF566.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF567.tmp

Filesize
1KB

MD5
1eae678cedc226e82aed999a9cf3f2fd

SHA1
da800be72d2288e9a1cc114c13fb34c96f5e23e4

SHA256
187a4c649e8a69e74f5085cfa1ec6866bce53cf0cbee4701c9ec122c60b38248

SHA512
67a88e8fba56c70f561ac47056e99e1afb9a0a0553358d75fe60c8c387fbf3c7b6e2c2316e8c4109e76250ff8ccc268b066bd010ac9d85b18660e946491c38e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\psew8hc_.0.vb

Filesize
14KB

MD5
5b1322ea0584f3bee7548b4230791681

SHA1
a499d23946738de3b98b16c9a6fd9dcc80bff3ab

SHA256
290d98be73b163cb2d6f195a886444006a44a3aaaae5f71db2260f54fc277f45

SHA512
a5ad3f90823d824849073b8ff46fb55ff176622aea7215912c57da91420c28f72a18c828a062538e61f5cccade3b800183b4b95c11107ad2b55b3716b20f37d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\psew8hc_.cmdline

Filesize
266B

MD5
a604b78b38d18966e4c1f6e6a1a6172a

SHA1
5729a57c1fc7485907d3330ec90135ab4de79874

SHA256
bc4afdd8ac467ae88aab70683775b4f50fee188e6e0a23cffd5568053bf323b8

SHA512
b1e084a676fef1f1356b8a437d5076122cc65d118e37b96e9db7878dc94bed5f0dcb8173a05b18e1b49f071ceddbd2cf98cdc732582b1b2832542431d0270463

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.exe

Filesize
78KB

MD5
e5bfa0ac6fdc1f14e45c0e19c3fa28c7

SHA1
0da09b5102b1a5fd7e44547775db26ca5c18d1e5

SHA256
eb9983f6939ac30fb1b159b74a97900b1745404a4107a44676a4ccc2b6f85b06

SHA512
0450285303c076bad69edc67b9b116a5e7aea4ec4cd31b17b1272f648e945bc9b6b5fc9a6f9b4e200f9dae1f79074b28fd80a0decf6faee8acc5d24ce50866b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF566.tmp

Filesize
660B

MD5
e57c616f1f39d15a5fab236f5b329fa0

SHA1
a9f3ae9152e634221bba1790aac0b7ef2b456ad8

SHA256
e845ed4f74bff7db5707f135e0ba542b2c56e6595519a42704c5035290c254b5

SHA512
384b93dd837aa4186566a56122c2405b5640937c60c4ab86e85a17161e6d871ae7dc88aed28ed0896934a8f9a616096d50ba172d061fd128ba713f329c88b1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2336-0-0x0000000074AB1000-0x0000000074AB2000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-2-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-24-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-8-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x0000000074AB0000-0x000000007505B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads