metamorpherrat | 8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0ba

General

Target

8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
Size

78KB
MD5

997fdef1f74300e8381a467d3bbdac00
SHA1

352c2bf3a99786aca90e980bb91fcc05c3975e29
SHA256

8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0ba
SHA512

1b093c766ac71459a46441989b2679fae70c50bf27b247d829f2720535796872e14138da1eb3a6ec798a656d29e982220e3d37fd980b83dad1168bc95e4ab38e
SSDEEP

1536:GRWV5jVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd629/H1i5:GRWV5jDJywQjDgTLopLwdCFJzd9/4

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2800	tmp842D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp842D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2876	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	30
PID 2504 wrote to memory of 2876	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	30
PID 2504 wrote to memory of 2876	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	30
PID 2504 wrote to memory of 2876	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	30
PID 2876 wrote to memory of 2428	2876	vbc.exe	32
PID 2876 wrote to memory of 2428	2876	vbc.exe	32
PID 2876 wrote to memory of 2428	2876	vbc.exe	32
PID 2876 wrote to memory of 2428	2876	vbc.exe	32
PID 2504 wrote to memory of 2800	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	33
PID 2504 wrote to memory of 2800	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	33
PID 2504 wrote to memory of 2800	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	33
PID 2504 wrote to memory of 2800	2504	8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe	33

C:\Users\Admin\AppData\Local\Temp\8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
"C:\Users\Admin\AppData\Local\Temp\8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skb2he_r.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84E9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Users\Admin\AppData\Local\Temp\tmp842D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp842D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b4806e8a43bf92dac4637ecc792bbf048e37caef9f6f282584b6aecf8fbb0baN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES84EA.tmp

Filesize
1KB

MD5
1d432b19a67dc389631fe0228ebe1a00

SHA1
85e643343ed951eb7842b71719e48d85ed89e53d

SHA256
428673bb32e2db9b9d3f522b4fa44073fc6b18699d0ceea7135ed83eef0e4985

SHA512
1a96ed112071205aab56c8cae7bf1a9917aabda2137ec64175df004ae9f878ab0adc916b0690a8a9853898854b519f4a1ef011a79a1477b2d56f43e0aa7b8a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\skb2he_r.0.vb

Filesize
14KB

MD5
e0fb171385e070e6f051ba4be935c073

SHA1
0d022ff7d81a28fbae4eab296aa7927c2924455e

SHA256
183df61b3b7173865cd4313238e69d3d45a22b2719be4338702af5368ed05f54

SHA512
a5320606428b10165bd7d96c280431535134450aca15a51b67bcde51b19fcce16eb36826f97093255afc137e2347c0da3e7a69e27c42f00bd26cace3c3a2d888

Download Submit
C:\Users\Admin\AppData\Local\Temp\skb2he_r.cmdline

Filesize
266B

MD5
bf4665e302a8c679c46efb35ddcab0b0

SHA1
823ef9e98b2ffc1b9093bb58c6911c9c143e14fe

SHA256
0e0e94545a893b0d61a7cee5506c1d192f480ba4e80dcd04e6d0e64ebf93d284

SHA512
1f97a813d1d633b483874af63e8890bfdf7a176cb75049b7c6c173682b66d8d0f087197df2aa22f1626a2e5b1ab4d4b5edb1021b09ae7d879d66508ce2ef785d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp842D.tmp.exe

Filesize
78KB

MD5
9871531447cd93c89811682767fa4466

SHA1
8d7efc837f2d7e699684e94aa04f5e3c8f801b1e

SHA256
14a818b1c9de563796bc65d89eb99161848adc734b7552e00f6dbd8d0bc55a98

SHA512
e51aba89f25363422ef9c59fa8853e614cf35041e3bd330f515c2228b22a54172127f7787e1872405b721063cfbf407b25dcd3a2a34ad7756e6f1866c51a57ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc84E9.tmp

Filesize
660B

MD5
6dd6982b968724a08250765c43dcf681

SHA1
a605a309af5ba8e3d6bde6e437946702ce9d320f

SHA256
9eab3a913aad2679ad4b39b5e46403eb34149e17c04fd90156222e8d1ed4c9ee

SHA512
d1e9ee069f0711500b8ebaf91789c39d8d39d714d00b375049ee7ceed956dae389dea82681d541e066d1dc73927f0301349d4d83b568038e5301dcf7e6417ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2504-0-0x0000000074011000-0x0000000074012000-memory.dmp

Filesize
4KB

Download
memory/2504-1-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-2-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-24-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-8-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-18-0x0000000074010000-0x00000000745BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing