metamorpherrat | 32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0

General

Target

32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe
Size

78KB
MD5

cf5a6897dd4ba4ead16dec867fb7bd90
SHA1

467ca13b6b7a3bdc83a24af5c2cc544dcb9bf65e
SHA256

32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0
SHA512

21755e2249d47e419594cea286204c7927f4755e18f2745f025e620f24da81880795b264f5257163b90954a152e12fa3facc103a4053a319f5917cdcbd30b929
SSDEEP

1536:pRWtHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtMj9/I1jD:pRWtH/3DJywQjDgTLopLwdCFJzMj9/+

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2628	tmp4D65.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe
1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4D65.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2796	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe	30
PID 1692 wrote to memory of 2796	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe	30
PID 1692 wrote to memory of 2796	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe	30
PID 1692 wrote to memory of 2796	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe	30
PID 2796 wrote to memory of 2724	2796	vbc.exe	32
PID 2796 wrote to memory of 2724	2796	vbc.exe	32
PID 2796 wrote to memory of 2724	2796	vbc.exe	32
PID 2796 wrote to memory of 2724	2796	vbc.exe	32
PID 1692 wrote to memory of 2628	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe	33
PID 1692 wrote to memory of 2628	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe	33
PID 1692 wrote to memory of 2628	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe	33
PID 1692 wrote to memory of 2628	1692	32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe	33

C:\Users\Admin\AppData\Local\Temp\32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe
"C:\Users\Admin\AppData\Local\Temp\32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5vmy8tkl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F0A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp.exe" C:\Users\Admin\AppData\Local\Temp\32c5dd7b363ececf1c10634c93b03d499a1f3cabf9e0f2275a595d106bda57e0N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5vmy8tkl.0.vb

Filesize
15KB

MD5
758e8c076428dbf96f6e9805ffae5b3f

SHA1
5e89b3dec913184eb58f2723817529795516a853

SHA256
853780730b10b50b58c4b0473e0d071ec6e0206cf5e0dee3144f97e8179c1f42

SHA512
f4131e63b0b35645678aa47fadd38b7f5e38c9a8c64774a34a0b51dd943294d5a2c5df4dc516fc5e4b92e73fdead5d5bd7207ae44efa07d3da937b0b532fed3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5vmy8tkl.cmdline

Filesize
266B

MD5
64731fc23f199c3bbfc8e7d52f993efa

SHA1
f5b19f88dc471611c7a620036c1b7ca33e15bd91

SHA256
cc10287df7b8615a1601f999992ca1bedea4dbe17430c154c8599e3379bacbd4

SHA512
0182f72b39fefb810a9dd7b848419ea43275cfbe2016b14d3f11e87cb862a522d98fe07b77da45c9530ddd26b992537cead16d7a8a62791666b033fb6115df63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F0B.tmp

Filesize
1KB

MD5
613acaa729ef45170c66afed54a762df

SHA1
45f62e216c269aad055fcb14daeadf1291a80e0d

SHA256
27e71a08f816b1fe6e965e94ee5e0d52fd237ac0e09ad69df459c77ed20f60ab

SHA512
86a076bef34150d39b27e7cfada8aa75f661f327d98e3ac848655546501e5abeb5b490508d7bb6e73ff5fe42d11c61227f03468f7899acd3aef6860aa81a11c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp.exe

Filesize
78KB

MD5
0a3e7f269ddae02e96d64a611c780e8b

SHA1
b950a6d82ddf837a2ea8a3856faf32bb5061c81e

SHA256
e5916aed929c3c041d1cfd9170bc0e2392ce449703b43392373baef48296a1a3

SHA512
e7e34a03c4aa17fa6897944b9fb575edc890cf7714d7704089f781dd2e0d2a53e9188c9b8e479517bba7f379d6f617f7b2a4631fadfd7b19ee40342f741fe273

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4F0A.tmp

Filesize
660B

MD5
5cade14efbf130dbc7c7d3da33cccc12

SHA1
0927b7d604e44795801fd48a5c50f55053233aa0

SHA256
db9dc8742346de0ef4a35730ab78b30af990b58162c2d21454179bdd82996ae1

SHA512
2c8ca4b43e86683e6a03b7a954644c16b493f58d836cad24408b3e863df2e19db49cef62d7cc4d1746ee7f5bf3d7e68d71e94ea2ff4c55f1f709631d7613c3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1692-0-0x0000000074551000-0x0000000074552000-memory.dmp

Filesize
4KB

Download
memory/1692-1-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-2-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-24-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2796-8-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2796-18-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing