metamorpherrat | 8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986

General

Target

8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
Size

78KB
MD5

6aaa8712e3a827682516810fe4519f77
SHA1

a660917f9c7caec977de9f93bf8ace9ec7fddedb
SHA256

8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986
SHA512

733215a309c7d377a284b3e4c29d0c089c62cddf08bd50a19d391eba1648a5b060cd5e86989d630dca04fedeea4b5e3553049e15428ae35271112bff3e17c899
SSDEEP

1536:RtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtR9/QQ1X1L:RtHFoI3DJywQjDgTLopLwdCFJzR9/QsL

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
948	tmp6E5D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6E5D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2392	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	30
PID 2940 wrote to memory of 2392	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	30
PID 2940 wrote to memory of 2392	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	30
PID 2940 wrote to memory of 2392	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	30
PID 2392 wrote to memory of 2944	2392	vbc.exe	32
PID 2392 wrote to memory of 2944	2392	vbc.exe	32
PID 2392 wrote to memory of 2944	2392	vbc.exe	32
PID 2392 wrote to memory of 2944	2392	vbc.exe	32
PID 2940 wrote to memory of 948	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	33
PID 2940 wrote to memory of 948	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	33
PID 2940 wrote to memory of 948	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	33
PID 2940 wrote to memory of 948	2940	8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe	33

C:\Users\Admin\AppData\Local\Temp\8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
"C:\Users\Admin\AppData\Local\Temp\8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brlwrl8t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F75.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\tmp6E5D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6E5D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8d9735e44206c9745f4d702d3dda9a2d1ca43698834c65fcba6ffe46de53e986.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6F76.tmp

Filesize
1KB

MD5
bd097a9b7a604fa127ce3baabb215407

SHA1
129fd23657aaf5028653e42da646cae9337e72e3

SHA256
b2736e4729992acea38d4661abf1f05b978080b1887ae5de4fcec4129ebca79d

SHA512
87e5be853e773069cbfeca13e12d0ea5e0b240f65b549407b42090980a3067ba8fbc37a37b4ebf9b6e9264b54d42afa3ada5b2fdec27daa0dfd1109fae173a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\brlwrl8t.0.vb

Filesize
15KB

MD5
8f968ed6b7af0ddfb835907d409b673d

SHA1
db311f39abfda07b6d23cc9e9fd8acd86b510809

SHA256
d7e7d6a60472091926eced74c2848c9427f4fbb3ccd2944b9864de5dbc5c1074

SHA512
18a2fcb8a46b634b5bf10646b60e397c0a95226c9e2b8051dd09df2fc793aa0bb73d5082a7b90b8bd957242c24d7ddb3954319ab83822004c6fb3456e641e462

Download Submit
C:\Users\Admin\AppData\Local\Temp\brlwrl8t.cmdline

Filesize
266B

MD5
28f52ce34af7220a81a2222e1d864bed

SHA1
1b5319784951155d824ac3c2ae389f15fafcee9d

SHA256
953e93183011ac3782a60809ee849617ac9c7dde59c0698f561d09f8798fa597

SHA512
6a9e89497bb66f2595c1a9a4019b51cf69512ac71a836d815113cae5ebb077b79d9957eefc85a6f60216d4fd972d202e966c302e2d6b19d6fbe98b5fc33ea0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E5D.tmp.exe

Filesize
78KB

MD5
4e7a579dc619f79387edcbe7e92dd7e5

SHA1
0eb453ba046622929ad021419b33c63109b6d70b

SHA256
6ad5c3c922f98f337ceb5be387687eed0c7e151d453767ae6c8b2b3160f44ff6

SHA512
d3f233cf783787852edcbd4bf463e3933bf66c85b9f290f419087a2cf766718a855680898de61c33775e8dd8b3143e0d0db26914a00409e05da4cc6daefb65e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6F75.tmp

Filesize
660B

MD5
c1e3b202642e26e5cde2ad84ddd21938

SHA1
86990c16707eabea51aedd8cf3e045ef84623deb

SHA256
5e505441699c576e9cd8b8c5678167725e6cb58be2e145a80fd2b1ed942d0da8

SHA512
d72443de7c8596bfabbf15c6c668c21cedd8dbac09ebb8171208dd207210ca0bfa40d5edb86c6551ce630b64b4fa5eacb825ee5c042ee3b2a2d4540e2fd55453

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2392-8-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-18-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-0-0x0000000074ED1000-0x0000000074ED2000-memory.dmp

Filesize
4KB

Download
memory/2940-1-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-2-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download
memory/2940-24-0x0000000074ED0000-0x000000007547B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing