metamorpherrat | 9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e

General

Target

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
Size

78KB
MD5

1156991c90c7131c76450dd7f4b97f64
SHA1

71c8e26cfe81d26c3d4dfe72936115b23865f5ae
SHA256

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e
SHA512

cfdce5ada97a2af49705700bbf166b21f5d56c8755f9244f6a115915f3fd6d563bd5c6f7599c7d1f2de71a03ed86e10b0223e62806d7b6f82bb8ffe470263ff0
SSDEEP

1536:UHFo6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQto9/Bb1AL1:UHFoOIhJywQj2TLo4UJuXHho9/a1

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpCDF9.tmp.exe

pid process

596 tmpCDF9.tmp.exe

pid	process
596	tmpCDF9.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

pid	process
2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execvtres.exetmpCDF9.tmp.exe9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCDF9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

description pid process

Token: SeDebugPrivilege 2252 9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

description	pid	process
Token: SeDebugPrivilege	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exevbc.exe

description	pid	process	target process
PID 2252 wrote to memory of 2532	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	vbc.exe
PID 2252 wrote to memory of 2532	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	vbc.exe
PID 2252 wrote to memory of 2532	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	vbc.exe
PID 2252 wrote to memory of 2532	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	vbc.exe
PID 2532 wrote to memory of 2556	2532	vbc.exe	cvtres.exe
PID 2532 wrote to memory of 2556	2532	vbc.exe	cvtres.exe
PID 2532 wrote to memory of 2556	2532	vbc.exe	cvtres.exe
PID 2532 wrote to memory of 2556	2532	vbc.exe	cvtres.exe
PID 2252 wrote to memory of 596	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	tmpCDF9.tmp.exe
PID 2252 wrote to memory of 596	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	tmpCDF9.tmp.exe
PID 2252 wrote to memory of 596	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	tmpCDF9.tmp.exe
PID 2252 wrote to memory of 596	2252	9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe	tmpCDF9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
"C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zx68fljv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF50.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF51.tmp

Filesize
1KB

MD5
fd01e5a9fd9b76b3055c9c6f693cd050

SHA1
7f0ec189162fd6f0d732a0c8a24eac6d48f65307

SHA256
efc66a8460bccdad270955bbe310af389e4ed4880909754fe230f958beb0fa63

SHA512
b6862b1ca1304d7a2bbe29e3208651d034e384be0206d576dd52cf29114075bfac7be15be7ba53c44f8fda513665b60cc2e3f4c14bff57104634e12681dcdffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe

Filesize
78KB

MD5
7e2be1392abf487db4c2cbf7332a645d

SHA1
3dbaeca7ae94ee4c89363ded82505ad4237fdd1b

SHA256
07f59f66f6b6ae8e2fea3061122a5fef6cc1fed925a27b4357b2babbd0a818ca

SHA512
0870a6d38c6a8f6fc17039c4264e224797636caff9779352dcdac32b39d6cbfa0e5dbeedf835dcba786aa2347b298163383f9fcd9b9ce5dee61be8960790bf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF50.tmp

Filesize
660B

MD5
ef24f9c9823a8fb5fde78d33ca96ce4b

SHA1
9e152e866de05635db9dfd076eeb3f8995abdbcd

SHA256
9e65371f6e5b90933406a43c06eec68d800784e4185ccb74bbc67b70adc8f933

SHA512
e296749ebe7d94d4c4ca0a16e4d4567009906c4524ab15b756fdc47c4f74d7973b7e0ad3bd590e80390ac665871426dd7e6631f47d05dabf90b966e07e620835

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx68fljv.0.vb

Filesize
15KB

MD5
9cb585132d764c6e7685c96d70c49000

SHA1
370a8bf7949da8226e214f718dfaf2ac7823bf61

SHA256
4e181b2de6f3b7a8022f41f1893c3f64dd92f38eba8bb473f59cd5459d3b57e1

SHA512
765f0883c4ddc234e2551fbd9fe3ac9ff1278a11f6b2cd6736dec5a029687e40747eaa44209a0ac0809fc5b05d42b7d6bfa55e5c0e5249adbf4d0483c61df644

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx68fljv.cmdline

Filesize
266B

MD5
08b88f83a52a5c3633cafaad582779be

SHA1
1a5a455e44dfd8871f5069dcbb4bdb3ade56d4e3

SHA256
981573e4c10b2f3d0edfe0d5120da2145e87659dbaaccb544b2c05b650807afd

SHA512
d034bb5a344a1ad8c56569952dfcf5ea1c7c38904b2dd9d5500fea073d7fd868aca5364e2ab06ab00120272313767cfbfdd68ac46d2e4532289c4b58bf2b917a

Download Submit
memory/2252-0-0x0000000074081000-0x0000000074082000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-2-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-23-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-8-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-18-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads