metamorpherrat | 4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25

General

Target

4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
Size

78KB
MD5

3582cd6030e1db8dd72f768906e2f130
SHA1

fb55fc2001e1264e1fb7eb75148d965e705966c6
SHA256

4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25
SHA512

3b38dff43364649f5d3af5d85c1f2205b947065c33621dc36d10311071822307636fca712abe1b90d7272097eda17e1bd99cf348b4a9d627edfe5158382a0bea
SSDEEP

1536:XHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLu9/P1Ab:XHFoI3DJywQjDgTLopLwdCFJzLu9/Q

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2392	tmp9CFB.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9CFB.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1240	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe	30
PID 1452 wrote to memory of 1240	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe	30
PID 1452 wrote to memory of 1240	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe	30
PID 1452 wrote to memory of 1240	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe	30
PID 1240 wrote to memory of 2508	1240	vbc.exe	32
PID 1240 wrote to memory of 2508	1240	vbc.exe	32
PID 1240 wrote to memory of 2508	1240	vbc.exe	32
PID 1240 wrote to memory of 2508	1240	vbc.exe	32
PID 1452 wrote to memory of 2392	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe	33
PID 1452 wrote to memory of 2392	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe	33
PID 1452 wrote to memory of 2392	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe	33
PID 1452 wrote to memory of 2392	1452	4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe	33

C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
"C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfee2g6u.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E33.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- C:\Users\Admin\AppData\Local\Temp\tmp9CFB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9CFB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d3496533ed3fc48b46bc0e544bdec26037090cccbf0473f5b53d0e6ccdd5e25N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9E34.tmp

Filesize
1KB

MD5
393eb06d5fa25b24b9e3a0b735dd6343

SHA1
0a8f3338205b84cbc04c4362bdc8eff86c6ab47b

SHA256
17a8636cb4645043383c1cb264cb328a0004a496953ca2d676e4751f33e10f86

SHA512
6c8cc67fd2c4ac6635003884ef6728033253ba325ae133455fa6e21589a6a4a89fea437a379794e564d6e05b56fbcf65fd7610e115de98c9b0e79dd36a5b9dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfee2g6u.0.vb

Filesize
15KB

MD5
d1d00b39deca1a4277374587633ee81a

SHA1
dc003969b15b965db8c967559949ffacb81f217f

SHA256
04dc0975e51b05b61e068f0d1eb56e560d6d905a22bb47491d7c363e23c494e9

SHA512
27bf53e4ec0d1216064ca70e01d5aa5c9751c747707dcc4986508a8a99e685a2313921ca335dc9280b8cea66977941505e55d72573e6cc9605370c159bcd25f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfee2g6u.cmdline

Filesize
266B

MD5
910caa6252fe4834dac25f69fcf49639

SHA1
e0028daeb17f513855a04933f76a0069f7a82e1f

SHA256
6910e70e87e2e1d86f5e8bb5280dd56c475d245f6473e15ed05553503768effa

SHA512
18c6345cafd4245b99c7268858acc98e21e185c130cbdc4586c0797460b9f8e2cd86f14ce403f838e05dd02a12604a8c32d86d091118ca499222111476fff944

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CFB.tmp.exe

Filesize
78KB

MD5
18d8b1a44b58543ee3dfcec6de83b3be

SHA1
268fd792b81fdb4e61b215a2bab7b7d6ba22e239

SHA256
edfec6c8f5fd15b7e15cf3105a3ec4ded448bfcdb2c9db502ba33a8cd66e0c33

SHA512
f8bc80b1f3d6e3e93adc3db0c4a3c2d115a47bc29751854134d52482ac85f24dbc7602104044494cb7b064c1216f061d6da5064cb24626f6b8f56b9a4b0bd277

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9E33.tmp

Filesize
660B

MD5
70834d451f08263043e7d635aef22590

SHA1
d552ca95a6432c842bfe6916a6065fdfbfe62d64

SHA256
fbbcd243384f6297b4902a298bf02bf47aef1bdf58f969356da21d07509db8b7

SHA512
6a31217f147c8a0f0985a2245b4424575a884f83654213aa22dae0b7348539f98de3d05c133990bb6829ab9453c70304c689419e31efd1325854c6ed6fb7c9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1240-8-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1240-18-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-0-0x00000000743B1000-0x00000000743B2000-memory.dmp

Filesize
4KB

Download
memory/1452-1-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-2-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-24-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing