metamorpherrat | 3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088

General

Target

3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
Size

78KB
MD5

1a096835dc9f1a35dd3d673d90aa7e70
SHA1

07e5e8aaa36c5962799ccc141ab942418eb28921
SHA256

3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088
SHA512

c8dc3363e955793bd50820d153e760f831289f71fc52a59e90a55c993d0bf87d19137870c780d62b316bb51e891a5327209c48e3b114de89212709fd49f782d3
SSDEEP

1536:txy5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6A9/UT1hsg:Ty5jEJywQjDgTLopLwdCFJzI9/bg

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2532	tmpD23D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD23D.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1760	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	30
PID 2324 wrote to memory of 1760	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	30
PID 2324 wrote to memory of 1760	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	30
PID 2324 wrote to memory of 1760	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	30
PID 1760 wrote to memory of 2648	1760	vbc.exe	32
PID 1760 wrote to memory of 2648	1760	vbc.exe	32
PID 1760 wrote to memory of 2648	1760	vbc.exe	32
PID 1760 wrote to memory of 2648	1760	vbc.exe	32
PID 2324 wrote to memory of 2532	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	33
PID 2324 wrote to memory of 2532	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	33
PID 2324 wrote to memory of 2532	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	33
PID 2324 wrote to memory of 2532	2324	3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe	33

C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
"C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ut6ptjfl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6A0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3b1fb02164bcd11f00350d501c07496eb737017a92484a0272a76474f66b4088.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD6A1.tmp

Filesize
1KB

MD5
8eb969a6d9af81a4ff9f12570fa4dd9d

SHA1
840637a3e083e0697083eb3411c624453002c38e

SHA256
66e1d4346dcab19ea119be7ced1502e456a3a5cb475c8be033105904f433a945

SHA512
5a0c35fa16334c5fe34785699a4ee5e79ce0d973b2c27d419e6a7b493c714d2336b72d451cf13be2a375a1458976151dd27ff031e6dad6fab76772631637f4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp.exe

Filesize
78KB

MD5
e1d51c26fc19c0899832a3a686e73cf7

SHA1
ec7237a4c0b762c4a31e1bf7ed2d60c8940da49a

SHA256
14cba70c88fed87ace56daa46f0e006523f4aaa7aadbe9d1d2d4da640f269ff1

SHA512
809e620515fd6e899071187eab088137f56977694e21eb4a310f1f82a1ef187c1ba101b1e9ee8767aa7eb057f42a532c718eb66d60f0d293b173bcbf39be54dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ut6ptjfl.0.vb

Filesize
14KB

MD5
20e912a05bb5a4e6008a9350aefe1bc4

SHA1
715ae4c817b16f27e9386c2b97f8a795f1e748b8

SHA256
c3dcd12e06ce917d9ef7320f18872726495ddd13586f980d1560a182dfa9ec8c

SHA512
c00af27cf9d3f1541fed384e11697b2334961906d6469543c1c077eecdb477460f8379e3f417a20a371eb3bcb8133b1ecc21b4a64e3cd8c815a067bd36483b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ut6ptjfl.cmdline

Filesize
266B

MD5
7244c5652587154ad88b3bbe87378de5

SHA1
2dd1ca4adc170f696fc3d355e1d3e490d0834122

SHA256
09df2d9560dc5acfd38838d32c612c8363dadd9a07fa9141e7255b170e4af773

SHA512
e9a524debad24a3baedcf790d1dc7356525b6af5433d2638999b8f6efd642aba49e66b57a51187cfe57638d851602de7c0b4f8c0ccd79e763b456ff2356c944c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD6A0.tmp

Filesize
660B

MD5
d05267184475271a82ad2a8b67bc4b5d

SHA1
ac6c738ebaae6ed90cfdc71acea07d2ac04c0d2d

SHA256
d28f04b079e9766ada260fca8bf82bbecb91c8ca049fe27c7f04d392a773fd0c

SHA512
541f242025b70de38aed84a82f8ee46a9b2564e3d31ec4a142cd76821ff24c74a253347a4e5fdcdbe008a0bf04b34548b9201bf5579b511e12e90d33262dcfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1760-8-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-18-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-24-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing