metamorpherrat | dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96

General

Target

dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe
Size

78KB
MD5

e36288c08998542e5c5d993a13dd4810
SHA1

b34e100fc003def49eab449e580c41bc7d8e578d
SHA256

dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96
SHA512

9b30918105eb9563bcb9311769dfa0830caddc56cea2b1a281e441c179bc575a51648ec78da9d73d74d20337a1cb2b1dfc32dee81650e300c795aacb1feb02b1
SSDEEP

1536:txy5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6A9/UT1hs:Ty5jEJywQjDgTLopLwdCFJzI9/b

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2916	tmpA718.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe
2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA718.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 496	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe	30
PID 2692 wrote to memory of 496	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe	30
PID 2692 wrote to memory of 496	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe	30
PID 2692 wrote to memory of 496	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe	30
PID 496 wrote to memory of 1164	496	vbc.exe	32
PID 496 wrote to memory of 1164	496	vbc.exe	32
PID 496 wrote to memory of 1164	496	vbc.exe	32
PID 496 wrote to memory of 1164	496	vbc.exe	32
PID 2692 wrote to memory of 2916	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe	33
PID 2692 wrote to memory of 2916	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe	33
PID 2692 wrote to memory of 2916	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe	33
PID 2692 wrote to memory of 2916	2692	dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe	33

C:\Users\Admin\AppData\Local\Temp\dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe
"C:\Users\Admin\AppData\Local\Temp\dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5t9whckd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA959.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dcf11f95ecc0dd91cb11a8f71600f8c19ad69eb18bb90844aecb01ba4a0a6f96N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5t9whckd.0.vb

Filesize
14KB

MD5
1ab1ad9a7cc7297ab7f8d459d6b7d892

SHA1
0a755eb601688dcbeab897f5673826706d914b97

SHA256
660ac8f98b242015e19cfc331c605cef62af3ec722283c119105a3a9f2a480bf

SHA512
73e4c339a0be956a6cd48b44f65191357064fae2ddceea49e07e8705a07ba0b18ac4d759e39d9d71d5b3221594fc5e5ffac50cabea784f9b2c98d83d7e8e0985

Download Submit
C:\Users\Admin\AppData\Local\Temp\5t9whckd.cmdline

Filesize
266B

MD5
106cd30f6ccee611db6a36d110e41cef

SHA1
e8ee0c844a142a7bf3a59f4291272f0ad2f6235d

SHA256
9cac0bae92b5bb059bd3c50f710ec911cc7803188ae917f632229a9567216139

SHA512
677ad01253f581016ade001ca7571c0300146d76dae589d06b67cbde200d33860709bb47855b95710b52889e9944916375ccb6f47c89a7f58495c0ee40143ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA95A.tmp

Filesize
1KB

MD5
c8f317da05e9f45571a22d0ecf24ed9b

SHA1
363e9f7cae4f6581ee3443d1afc4bd41f01b960d

SHA256
cfa3d057d47d2d917ae6df21602b96be542d4f30c61885393c5d8d9144416056

SHA512
bb1e51a8f71aaa1b24b8b4f7b50f77163a15c1a99c06b13a2da6af23a68cc78b6e71e61d2c198e1468c2746a312b4ab456e986b11d93cffdc31823d1728d075d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.exe

Filesize
78KB

MD5
f0589ffb8316e645f5ca202d9b063cec

SHA1
c4aac2f01fa833587880afb44914f4d0cd103fe7

SHA256
eb22b01b0c80b920b217344efff5a75d618840b221ae398c393eb26c9ef792b9

SHA512
1d50a64c16c0b6d5e7cb0eff87822662af8357b47b813edf9a839582971d447cf574f2ffe87843a28548c137e30c6f338e749e496fc39a056a93c74dfc61bfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA959.tmp

Filesize
660B

MD5
7ab4dca91513e0c16ba4dbf5927873f3

SHA1
db35760b7ef5d01630fdc682a1808eb603b81c19

SHA256
9615e8e0049374b5619432bd89a929e2578f2df82b3dd39409fae942de78e409

SHA512
dc27439bcff62312b909967139d5f39c2d7dddd78ff89926e03b9261c3ad4eb010c1e49c155b7e9920d0e8f257ce8dfd82baaba1d152765dfb222547ec78c2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/496-8-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/496-18-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2692-0-0x0000000074251000-0x0000000074252000-memory.dmp

Filesize
4KB

Download
memory/2692-1-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2692-6-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2692-24-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing