metamorpherrat | 9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7

General

Target

9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Size

78KB
MD5

26bc9c6cfdc28d2c53a97cb4e78f8140
SHA1

e2f51aea0e5f8f4802647b4e74871ce66f51dfdf
SHA256

9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7
SHA512

60cd1513cb80b56513b150fcaa757e39670fb1f8ef97f6da9abc50b40b19d19ba34ac589ffacf97fded2afd04f1a4fc156d743fe51753d359222daf7a7c75343
SSDEEP

1536:RsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtj9/f1GCm:RsH/3DJywQjDgTLopLwdCFJzj9/Tm

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2644	tmp692F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp692F.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2528	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	30
PID 2844 wrote to memory of 2528	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	30
PID 2844 wrote to memory of 2528	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	30
PID 2844 wrote to memory of 2528	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	30
PID 2528 wrote to memory of 2924	2528	vbc.exe	32
PID 2528 wrote to memory of 2924	2528	vbc.exe	32
PID 2528 wrote to memory of 2924	2528	vbc.exe	32
PID 2528 wrote to memory of 2924	2528	vbc.exe	32
PID 2844 wrote to memory of 2644	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	33
PID 2844 wrote to memory of 2644	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	33
PID 2844 wrote to memory of 2644	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	33
PID 2844 wrote to memory of 2644	2844	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	33

C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
"C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4bi4jqx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AF3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\tmp692F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp692F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6AF4.tmp

Filesize
1KB

MD5
38766104dcda04a9b7a59f8e5970c1a7

SHA1
5456531438e71652f4b6f7bfc558530f729c4ebc

SHA256
5e56ec5839fbbce7bac563f063d03860268733e56290db529d8b3573680437ba

SHA512
63d927fe0dfd2c4ac582b4f85ac495436f711643434cd87962adc420937d2b367da9cb70c56b2998910e7e305c934196298d27793d34d9ad2de7da24650ab3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4bi4jqx.0.vb

Filesize
15KB

MD5
c74ddd7cbf4485b61062731db27fc0c2

SHA1
d40e2af53565a2abb5e701cfe2a28fd4c1366d43

SHA256
564018bc123c6c78789acab1acc5b40ed5357b7d6c572ff11f19af9ef7ffe26f

SHA512
82b30ca9d0c4563c05cb04d2c23d135d9265312c9c4080da845958338b1a5d9644fbc3b08dfd85ab0ed820dcce940dd5ee31685e37f8b5224e82ca355a59f6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4bi4jqx.cmdline

Filesize
266B

MD5
ca349ce091a75532212b9ca719a3587a

SHA1
cfc26db3a4550874bbd3480c04a70594ca80f9a7

SHA256
1bbe1bae448b4b956695680c773ce5a802512d935983a5fff46794f5a62d4df1

SHA512
174d5ef30f9857ee761a7c27ab2b1e24730e0928fc21fbc40e36519e500b1e53447845f31f502a3d7dbdcd52cadb59492439517e6bcd47012621ee2914c15ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp692F.tmp.exe

Filesize
78KB

MD5
9b78105eb807cebb81dfede8b146ea70

SHA1
c0b8e9b0b3a90559ba51939166a45aab0d44701a

SHA256
df51f62d6237c72166fc71d839f8dbd53a1fbf31c6e51b098cf8504110af8343

SHA512
ee49d74c19d089b95f1699f905b80cb2f4779e4737a04a604916ca297123473c1811e2563dd68c39de286381369ae9aeb02c696fff0d531683f58a8a2ca12300

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6AF3.tmp

Filesize
660B

MD5
31cf816845b8101d73b5d1745df651f4

SHA1
87bb6f14ab4a71c7ec400d520575bd2403ca24bd

SHA256
052564751cf7071ddca28090e4bf7aa975b4b5a27526e690c282b258bf5544a3

SHA512
be644ac3afc17c94504c7898e284067d1e4ec20061b88eecf2ce1693ab579a134e4ef257979df6de67714ec6eabbc864bb7e25ec118958f8c3e636b13a02f116

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2528-8-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-18-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-24-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing