metamorpherrat | dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1

General

Target

dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe
Size

78KB
MD5

8a103a57e4d92f807ada17d0747b70c0
SHA1

a12069f6a6db4826e8c74f868e1ab445c958f777
SHA256

dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1
SHA512

fb5653fc5c4dab5578c9a459c87d2f84a772d25d2b78077cca3ea7b9a32b00d77917462bdd2f6859118944ec3af7a82ef7751539cabdc99472ae8434c7e0b792
SSDEEP

1536:KRWtHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLS9/61Bi:KRWtHYI3DJywQjDgTLopLwdCFJzLS9/P

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2784	tmpC207.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe
2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC207.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1908	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe	30
PID 2040 wrote to memory of 1908	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe	30
PID 2040 wrote to memory of 1908	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe	30
PID 2040 wrote to memory of 1908	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe	30
PID 1908 wrote to memory of 1964	1908	vbc.exe	32
PID 1908 wrote to memory of 1964	1908	vbc.exe	32
PID 1908 wrote to memory of 1964	1908	vbc.exe	32
PID 1908 wrote to memory of 1964	1908	vbc.exe	32
PID 2040 wrote to memory of 2784	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe	33
PID 2040 wrote to memory of 2784	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe	33
PID 2040 wrote to memory of 2784	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe	33
PID 2040 wrote to memory of 2784	2040	dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe	33

C:\Users\Admin\AppData\Local\Temp\dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe
"C:\Users\Admin\AppData\Local\Temp\dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yuvvle9k.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC340.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC33F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\tmpC207.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC207.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dcc19469be925e789119f92339ac25c436d8fe566fa66c3b8d6bb655c434c0f1N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC340.tmp

Filesize
1KB

MD5
17b34f8a97f3795138c28d1744d4bec8

SHA1
fe2cec2cf283a3a7955cdc4ad6e020bfc29b4902

SHA256
8e6a631e60f2c7c28c9db2fd31de591c9a1b98a4f106e5fc3b72063d22b22068

SHA512
319c20a37c88b3008720b78fa59453a4cc18ba13b3b17dd14e1f121e28d0775f099acfa2abe966cfee457b3d4e64e4d97c10e59bd07df500809898886fa66d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC207.tmp.exe

Filesize
78KB

MD5
dc491d24d4596e75f753bc510d29c39b

SHA1
86e1e4fe6274752ebe4a9cb85e16800a1a09e03c

SHA256
20c15ccd8b96f308576404fcd56ccab57afb4c0a4f69d13e26a5b9297b7b0c8e

SHA512
b7521b34b8b44af84683a70c89ba646df940c0c23075ad7a779c5190d86cd9ff9e8757847407bc720740ad25e608aa6a5c1430553d3cfabe80dddd065cb74df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC33F.tmp

Filesize
660B

MD5
768ff608e3f52e71fbc1cba90f85c062

SHA1
7b7f3c1d3cebf72879793143e9255e012d8a805b

SHA256
d1e01c47148ee6dbf67e6c6a33e5053613b620344a9250cbed1194c144ea5bd6

SHA512
f1e02cdc66677d0d6331f0ae1a714ecf463001837995faf98ad9e5d796f32081e2c6e84bcf66f3f37b3cb65e096d75100744361629de28d871f685280f004729

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuvvle9k.0.vb

Filesize
15KB

MD5
ea6eb4b4f9e87e54188690f82e9c206b

SHA1
6faca275ef32dc95e5184b2eb81d8d11c9d1d03b

SHA256
3df58fc29820c90069decc010b4419964c3e3c2ba437708e6c59356cf601b28b

SHA512
9b201185f4d3a82f7ae01cd5d6c8aba3ca7423c4103eb58dbd682915c40e31822b30aefa5635ec13330ad35475156bf06ea3e908efc0c1e517241815fc972b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuvvle9k.cmdline

Filesize
266B

MD5
c400a6b89a949f996dbcfff27507a493

SHA1
02da904a192061733c10e681e5f53d3476bdaa35

SHA256
8d1e4345205d582bf860a3c14563b9eaeeebe922381a5e14435dd660b0b4f9e1

SHA512
6a930ed05168b48d3303d9ff16a2f5b17684d5300c240462bc60fade9c3f5d40a440bc40aba395456009fae4576ee84a7fdbbd28ba590a190194f68823dfca2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1908-8-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-18-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-0-0x0000000074251000-0x0000000074252000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-2-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-24-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing