metamorpherrat | 9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7

General

Target

9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Size

78KB
MD5

26bc9c6cfdc28d2c53a97cb4e78f8140
SHA1

e2f51aea0e5f8f4802647b4e74871ce66f51dfdf
SHA256

9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7
SHA512

60cd1513cb80b56513b150fcaa757e39670fb1f8ef97f6da9abc50b40b19d19ba34ac589ffacf97fded2afd04f1a4fc156d743fe51753d359222daf7a7c75343
SSDEEP

1536:RsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtj9/f1GCm:RsH/3DJywQjDgTLopLwdCFJzj9/Tm

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2856	tmpA821.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA821.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2336	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	30
PID 2524 wrote to memory of 2336	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	30
PID 2524 wrote to memory of 2336	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	30
PID 2524 wrote to memory of 2336	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	30
PID 2336 wrote to memory of 2380	2336	vbc.exe	32
PID 2336 wrote to memory of 2380	2336	vbc.exe	32
PID 2336 wrote to memory of 2380	2336	vbc.exe	32
PID 2336 wrote to memory of 2380	2336	vbc.exe	32
PID 2524 wrote to memory of 2856	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	33
PID 2524 wrote to memory of 2856	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	33
PID 2524 wrote to memory of 2856	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	33
PID 2524 wrote to memory of 2856	2524	9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe	33

C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
"C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nzhm_qp0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8AE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- C:\Users\Admin\AppData\Local\Temp\tmpA821.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA821.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9eeffccf541e56f569707b1c2a44b85738056866f919bd1a93dd3b35423b13a7.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA8AF.tmp

Filesize
1KB

MD5
aeb1334f77085723ec1fabafc767881b

SHA1
39370f7d2663d822beeed960fe1a44d8ce21f371

SHA256
069639f47839b45e5c03164f8e08c340ce211a997a20b6a6e58f71fdc7fe84f7

SHA512
e6235eeaff199fa3d2e0cfdb1cfd604981f1be61ff7337d76c727c2e3773f49940c519511c1b41be1cf5ab22453582f3faa10f6b1391854a378922fb248535ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzhm_qp0.0.vb

Filesize
15KB

MD5
e672461f93c8e7a5857fb21f9ff4df9f

SHA1
364b317de2977f952f7e35940a656a2941287036

SHA256
4a8941d0c2d9db628e2a981313f4589698c3ced5edf5aa8f9f2b2d8bdf94ba0f

SHA512
fcb443c6a97d13fe4d85d102d521ae86125d8d0bb3cdda899b7333efc5b9575e82e2b6a8e332349f5a848176ab471fe920047f2ea9648036f795a06e74f53948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzhm_qp0.cmdline

Filesize
266B

MD5
45e856eecaae08724f2fe494136588b0

SHA1
f76fe7dfca27d8774b50ea473d0a311ece0bbcb8

SHA256
1c3d60ce8fe225af1df38c727a88327ed8ce90f02efe7e0a158a7dbad2ac8623

SHA512
57b3a61c339a06accd5a0d520e9519693781e53e1a1d8a2dfd9211dbfab6ef48652145510b90e8ebf0c7ebcb7e8c2bf8310d4a2c5a194d2d5a9c8fdd7e394f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA821.tmp.exe

Filesize
78KB

MD5
bdf8f87685686b01096552142809c648

SHA1
136205714a7af9cac8d50a2fac04b819ddcb1ead

SHA256
2d987da8b7530772c2130369cb7d2ab557b47144fe7a47a0110b501a35ed4066

SHA512
78761dedc360ff1140e618aa8d20af5897d29a96be33f48846165d33c81d54e5bb1491027e72282dd4f21ae120d83a3b2479cfeafb2c49a2e62d84a2dfe671ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA8AE.tmp

Filesize
660B

MD5
f413ac6b6c5fe85615cda05bcd324e20

SHA1
6c6cb7b6086951331fff945048859e518185df75

SHA256
bcf41dd3dbc142a7235c0ff7ff9e6f7036f1e30f7796b37639e010a5bfd7c565

SHA512
7d04e734bfa8095c3de40c9687b5271d9179591d9078d6679e95a36101b4ff45eb05e594cc60077c9cde656a3fdb5ac683bc0556dc1d9cbb504bcb015c31f6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2336-8-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-18-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2524-0-0x0000000074251000-0x0000000074252000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2524-2-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2524-24-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing