metamorpherrat | 97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f

General

Target

97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
Size

78KB
MD5

4aa46b57e4b1c31ae996afdd8e28f03b
SHA1

0a49f02e2b13a0d06f6133ca05266317c6ea460b
SHA256

97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f
SHA512

7521aa642f56e222be96a7f9dd571684ec41e31a452b18babdde5775b917c32415731f37082941836ab9a9a344f3b1d7e31aa559c2d95f8d048d1e1d21f18bd9
SSDEEP

1536:aPWV5jBpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd61K9/R/1n+Y:aPWV5j3JywQjDgTLopLwdCFJzmK9/RQY

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2224	tmp6ECA.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6ECA.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2184	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	29
PID 1164 wrote to memory of 2184	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	29
PID 1164 wrote to memory of 2184	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	29
PID 1164 wrote to memory of 2184	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	29
PID 2184 wrote to memory of 2656	2184	vbc.exe	31
PID 2184 wrote to memory of 2656	2184	vbc.exe	31
PID 2184 wrote to memory of 2656	2184	vbc.exe	31
PID 2184 wrote to memory of 2656	2184	vbc.exe	31
PID 1164 wrote to memory of 2224	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	32
PID 1164 wrote to memory of 2224	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	32
PID 1164 wrote to memory of 2224	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	32
PID 1164 wrote to memory of 2224	1164	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	32

C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
"C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a8puarsn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70CD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\Users\Admin\AppData\Local\Temp\tmp6ECA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6ECA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES70CE.tmp

Filesize
1KB

MD5
66765c3f5922148f6fa36b7db9467760

SHA1
ebc2c0f402bbf206b7e22e91686d185774f4add6

SHA256
0e0029589017b64291bf4b9bf670bec56664c1373df993e5fb8c11d29b40f062

SHA512
4a6070ef816ec4de1fcd1d0bc0b3f8cd64334d306ea2ff4cc138ed908bbd3a421d03ae46f26ec828df4d4a0e1736005333a0bbfb1fec5088b24c0ba8e98739d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8puarsn.0.vb

Filesize
14KB

MD5
231b029567136b98a66624300f1d7557

SHA1
1072e60416c451dbf0ba94c7f85e856ab0b28963

SHA256
e148b3bfc694bb3bd3b68f6aa21f2bd65167a5874ab053ede37ba7236bbfa9e7

SHA512
dcd26309fb5a1167e85cbb1e8a7dd74838c8607615b350596dffa99a7e1dff7e694e4ba812f100a26ff0eaed2cbbe1eac30095dd0b2beb4f5d2d84295074c9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8puarsn.cmdline

Filesize
266B

MD5
6f7bde3a928b37227d355c403488403c

SHA1
de4d13bc1baea561580e0303175806a3696d4538

SHA256
2539b21193ed9aa721eb3c0e7360e06e757ab0a1ee1a1d29f672acc6d598a9a6

SHA512
90bbd42210b9ed1e3c75fbf4e1394b13058bef72499ac7e3fe7bbf2e969792aed930d5ae2f919a447ebd6476f5a391d7a1bb27dab24d04b40bc9522698d0d225

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6ECA.tmp.exe

Filesize
78KB

MD5
b920d594c6c01b566e7128038e2988b5

SHA1
d37d0e8c8e598287f352df2a7e7269ce7e5a0130

SHA256
1a145044c7a0dc862bab78abbb7f6934dec473e47c2abe54a35a89d459a6f900

SHA512
363b9d072b06c01106f8814fb4f13d17d4243735a4747d4019f34f539161a0d2092b08d78a5ff314148a91535e4bd39aab15aa4f9cc8d802034160130a0bd79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc70CD.tmp

Filesize
660B

MD5
4f20f15bfbe157126ff124942dbad553

SHA1
20edd5dd7844edc2c71b22d4175f656aa5411bfc

SHA256
2e5812037aaf72c28aa1374b065f0befdbd0f0cd83fd60b6be0e7933292f1f50

SHA512
9dbb76ef8b617ad8db534acd53ce3ef319452be446c131dd3bae7f487eba9d96f5530ad6c92ed1f2d8dbab070b1db21dab8d2a47d690f7dcaa47eef8bc8f364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1164-0-0x0000000074D11000-0x0000000074D12000-memory.dmp

Filesize
4KB

Download
memory/1164-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/1164-6-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/1164-24-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-8-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-18-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing