metamorpherrat | c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd

General

Target

c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
Size

78KB
MD5

16e8f2f151fb0d552a07d5cfc36aa121
SHA1

bb2267c5bae6c55fa3a85f39bdf75faf8d7aa231
SHA256

c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd
SHA512

b66fe62f462cb59943d828a5561730bd9fe73b3df87e57d702df9d0a3cf243f2f546eb67e90e3700c715af38c579d82f60591a5cb0b5c4ddf345e249669d1f65
SSDEEP

1536:qCHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtI9/YCa10b:qCHYI3DJywQjDgTLopLwdCFJzI9/YC9

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2592	tmp48C3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp48C3.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2188	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	28
PID 2080 wrote to memory of 2188	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	28
PID 2080 wrote to memory of 2188	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	28
PID 2080 wrote to memory of 2188	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	28
PID 2188 wrote to memory of 2732	2188	vbc.exe	30
PID 2188 wrote to memory of 2732	2188	vbc.exe	30
PID 2188 wrote to memory of 2732	2188	vbc.exe	30
PID 2188 wrote to memory of 2732	2188	vbc.exe	30
PID 2080 wrote to memory of 2592	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	31
PID 2080 wrote to memory of 2592	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	31
PID 2080 wrote to memory of 2592	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	31
PID 2080 wrote to memory of 2592	2080	c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe	31

C:\Users\Admin\AppData\Local\Temp\c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
"C:\Users\Admin\AppData\Local\Temp\c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fh95ppgq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES497F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc497E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\tmp48C3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp48C3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c1520b88607a12beb0a6c23a1ce3196a4a2eb7c692b7be7d8ed4311383f812cd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES497F.tmp

Filesize
1KB

MD5
89068619ccf8eedbe5533404f211ffa6

SHA1
11b2436906bacee625488bc7cd5009d89c75a1f1

SHA256
91ade5f10b8a842ad5fa93a0f1f9353f63a7ad503769ccf0244de44ae6359a1d

SHA512
022b0aa981a11df1f2546a6783b4b7024cb259335158bca7022256d41f0533d7bb8930c1fd12542b52e019b51e8c0f95fe547e0f3dd03bd1fb02a077e29d53d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fh95ppgq.0.vb

Filesize
15KB

MD5
1296f47adadbb6201f4d088fe2f9734b

SHA1
70fdd2af9a6163de861a0707050327f2b9dca83e

SHA256
76d9772a93b6ae0998b5d968a83aabe422677cb7c0970ed7f6d1d5e95329865f

SHA512
b8ec65e343f2c5cdbdd3c14166c333ae699516793af0b90f028056f216c7bb9794a9c1403e27d28c82546b6bd49491d88c42b4f04232416a7bbee3fa4e574e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fh95ppgq.cmdline

Filesize
266B

MD5
aad151ef1da4bdba460ed5a9166b9f59

SHA1
874dfcd6809b0532520d7258555c04dbd9c04ac1

SHA256
e65038bb7e3931002ec812f236be49cb7dac817313f3c26ed572b70c63c839fe

SHA512
9e3aaab8df251d03adae12fde02a05fb3695e14d11d7316858b40fb178b5f022a70343b1852381de6bc42ff4e3a31908343e4fa57e6b17337c4b053f0d07efd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48C3.tmp.exe

Filesize
78KB

MD5
cd873985686ad05c6aaf74d36ed15b9e

SHA1
99b3186fc081cdb9970b1d989682cc08609e6ee1

SHA256
2d45ffb8f530b0bcda11abd6d57277a5bb464b582b10419669b4c1b374f08d9d

SHA512
0020e40b1fb0f9a4937e6654d50f99253e3a6a6398c4f1a009d6501f699ceefd286b7b6a6121961454c840000eb6d660a68d044a4e9d0901dcf8884adcf9f8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc497E.tmp

Filesize
660B

MD5
48399942d5386122341345f28970035b

SHA1
8b59f7d2205a335d43f770bb7e89e81240f1cdea

SHA256
1f8b9b8800a490e00ac0c97ffb32e21a9b0c7599139e9f243c0bfe6e93030a40

SHA512
2420ea3753253eef9186ff2f9b04048bab2cc037f7db2303d726fd3a2531bf912bbcd44b50771f243b45f2f8648f0b2eb01fff642ef9564e46c5715ea29d3f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2080-0-0x0000000074FD1000-0x0000000074FD2000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2080-2-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2080-24-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-8-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-18-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing