metamorpherrat | 707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465

General

Target

707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
Size

78KB
MD5

9962927752e377c54ed74bee9d3d4242
SHA1

92b1bfe41fb3e7e9bcd399400017c2421338a4de
SHA256

707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465
SHA512

371f9f73713eaa3ff8a5f308eb0268ceafc7e6ae55a3e7268bf556cb5bbedfc907875c9734c0f34012303cb829aeff597b06edb3072fb01a5cb03b19490471ce
SSDEEP

1536:NStHF3uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtL19/uw1HzH:NStHFP3DJywQjDgTLopLwdCFJzL19/hH

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2480	tmpB5D7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB5D7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 1728	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	30
PID 596 wrote to memory of 1728	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	30
PID 596 wrote to memory of 1728	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	30
PID 596 wrote to memory of 1728	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	30
PID 1728 wrote to memory of 2496	1728	vbc.exe	32
PID 1728 wrote to memory of 2496	1728	vbc.exe	32
PID 1728 wrote to memory of 2496	1728	vbc.exe	32
PID 1728 wrote to memory of 2496	1728	vbc.exe	32
PID 596 wrote to memory of 2480	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	33
PID 596 wrote to memory of 2480	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	33
PID 596 wrote to memory of 2480	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	33
PID 596 wrote to memory of 2480	596	707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe	33

C:\Users\Admin\AppData\Local\Temp\707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
"C:\Users\Admin\AppData\Local\Temp\707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qcigq2xs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6D1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- C:\Users\Admin\AppData\Local\Temp\tmpB5D7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB5D7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\707982306fed46413215d73186952a8b3bfded7822b1045d3707f1e9883b0465.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB6D2.tmp

Filesize
1KB

MD5
556b4ab964c72ef788a6358da02353a9

SHA1
e4460a09ae53b3dc3f79a4d6781416b853619a91

SHA256
d25e94e35105679aaeff76b71416867afe76837fc84cb0f7968be576e29020d1

SHA512
def18f33b976e3f879c51e458e804bc4d98a63a4a2188d0fb824da0edbf7f4a4601458e5f4113ee5fd64ecfb2b76cad601cc99e38309325f7edd30a397f5885a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcigq2xs.0.vb

Filesize
15KB

MD5
a62fe459fb2f23878a03c17a98701464

SHA1
a35fb7d27dd07cc6756bd1e04df85fb34578365d

SHA256
e2c101edf1ce4fd5a88f2c4436e71908e7d87bdb4d033028c246e6fe270d80ca

SHA512
2aaa2121ba5dd59891eb4b6e3407c1b820b131386ca3192ccb1ec9456037c45e829e96e1902ac4d497deae3e81d6aa983f0351e0b29ecdf590de99da0ed823b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcigq2xs.cmdline

Filesize
266B

MD5
341032f85fbfffb25b0e55c7abd71ffe

SHA1
d375527d8bf82cf50cbfddc57e4a350d16daf36f

SHA256
ae3a629bed8840a888f717219f64eebdabfad57d1fc4477a2f516a408fdc461c

SHA512
50f73cd55bb10736a1f92f5b00f699a1ecc19ff266ff8513aa4bd513567f8e94ac08c455fb5705fb74f62970515cec9d4dd46058727d64fe79c11ad7a972b91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB5D7.tmp.exe

Filesize
78KB

MD5
b3c8c83e462389e755d96c41883bff0c

SHA1
96c67f7f90fc2395680f6b1e6ce19c1dbc8f9bda

SHA256
38400955799b42ee2d27437dc2c3afb98a2c494bb6c610aea1d00b3e188dcf3e

SHA512
c822ec2af036e82314d519af4ae2a93ffb1c41f62b3a7123c904d961cdfb7acd9726fe01ca8f5983c4c3ed2fd4824f255a47e12690a48a93bf2fc03ec6967a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB6D1.tmp

Filesize
660B

MD5
82575e82dd1ddfcaa9acabdc79bfa557

SHA1
8934c35947ca3ed946c1b5afc3eb03b17024d4bd

SHA256
b351bfb370ec5fef5d5797a8f79b4750b5048ea67ac189c284ff428ac5a9ed48

SHA512
c6b12001f4d6a56a04c9ddda641688495e9be1280fd720563260e7f9b3e90ac19df13ba724b04c8a3f4bfc94a9fc1906af89929abbfb0100ccb2e80d49043e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/596-0-0x0000000074541000-0x0000000074542000-memory.dmp

Filesize
4KB

Download
memory/596-1-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/596-2-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/596-24-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/1728-8-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/1728-18-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing