metamorpherrat | 3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088

General

Target

3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
Size

78KB
MD5

1a096835dc9f1a35dd3d673d90aa7e70
SHA1

07e5e8aaa36c5962799ccc141ab942418eb28921
SHA256

3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088
SHA512

c8dc3363e955793bd50820d153e760f831289f71fc52a59e90a55c993d0bf87d19137870c780d62b316bb51e891a5327209c48e3b114de89212709fd49f782d3
SSDEEP

1536:txy5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6A9/UT1hsg:Ty5jEJywQjDgTLopLwdCFJzI9/bg

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1420	tmpB117.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB117.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2912	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	30
PID 1556 wrote to memory of 2912	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	30
PID 1556 wrote to memory of 2912	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	30
PID 1556 wrote to memory of 2912	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	30
PID 2912 wrote to memory of 2296	2912	vbc.exe	32
PID 2912 wrote to memory of 2296	2912	vbc.exe	32
PID 2912 wrote to memory of 2296	2912	vbc.exe	32
PID 2912 wrote to memory of 2296	2912	vbc.exe	32
PID 1556 wrote to memory of 1420	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	33
PID 1556 wrote to memory of 1420	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	33
PID 1556 wrote to memory of 1420	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	33
PID 1556 wrote to memory of 1420	1556	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	33

C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
"C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmyrcrnz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1D2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
- C:\Users\Admin\AppData\Local\Temp\tmpB117.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB117.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB1D3.tmp

Filesize
1KB

MD5
0649874bbb7bf6d9d3c1c537569a2f28

SHA1
31806b835607630648cca30b288565d93dcfed8d

SHA256
0fa86aa53d42016ea84fc6ad17f78d13245f1e265e1e5d3ef8b43a85da4a8523

SHA512
80eee27cfc7801867f5b4ba0e79a43d1cd06671a8fc248756ca2e530d8cb56efd076036a5a0ae5c3648880ef44636044aead2c9722d436ab1ad39f70966f4839

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB117.tmp.exe

Filesize
78KB

MD5
660a0749a89b2bfc36b59ce8bf860de4

SHA1
03db6483b3622e39e978797b53963fa758a77809

SHA256
547853c38d939e30993971a6247e15468e876687c3908f359b9033cc86a08027

SHA512
4a1913926f2dec075c778bfe8e6c6883eb8433809dfc8b1e4754d4e536d6fdbb5f2c52aeb3334acab48ace1cb71fb4314f469061465400c5c8e7d1acf47a0138

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB1D2.tmp

Filesize
660B

MD5
e80dbc7e4120b63ee2c816d06c579c04

SHA1
e93a72f4bdc76428b14e5df5eeddf238103dce44

SHA256
06155436762c9366d40ad2c3484686dcba0d8647d14eeeca16d6f96364609158

SHA512
a94d208d5c524309ff83f0961cf562ddba19720b72f8cf2e3ba7a17548ca75b51e5007f8a98dcdbdd9c239095c4d0669a958605aecd17459a2c50c32b553aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmyrcrnz.0.vb

Filesize
14KB

MD5
bc530deddf8d66d0e21ee963613bcd69

SHA1
3ba62c1640385ae47786675fcdd2411dac5bd0e7

SHA256
66470f66c27a2280d921064b926e4b5de31c6396f88c83abf685e0b530a188d0

SHA512
7e76ec25e56b6861aa5d8b945097b2e56ded43fdc383cfa73d9c6ae7056a0e1e77d720f01b1da8e02fccb1d2216065c8863a2d4827f8ca438adaef2a67d5645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmyrcrnz.cmdline

Filesize
266B

MD5
2fc44dc1eb83a3d605a9e1c1b3897321

SHA1
70fae1f04dd9cd1778d1c9feb297a96b03cb10a8

SHA256
aa766aaf0aa3a19be52e576c3ad6438a5fa7c163347fe6418fae86559708b485

SHA512
ea0c68cccc7588bbb1a35c2bce50956750c2d0d498daf96da7456769461b2aec63449129aeb5234782269b1faf571e03eb991677e45b42762d7f61b04c95792c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1556-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/1556-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1556-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1556-24-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-9-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-18-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing