metamorpherrat | 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee

General

Target

752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
Size

78KB
MD5

cb5bbd667e2c154fae05fd0ed65383d5
SHA1

dea41a84703c4cedf9ed7701beae4e10c7f20705
SHA256

752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee
SHA512

c5bd8555e26c4136fbaf2680ee3a2e8054b0f2c54b0fd027e5d6fb2cdcf559c0712bf3d8283368a70c37d1ed6214244eaf42dcec1794f3f24b9dff0721392660
SSDEEP

1536:D4V58EpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6T9/S1YQu:D4V586JywQjDgTLopLwdCFJzg9/Gu

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
804	tmp96F2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp96F2.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1900	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	28
PID 1656 wrote to memory of 1900	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	28
PID 1656 wrote to memory of 1900	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	28
PID 1656 wrote to memory of 1900	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	28
PID 1900 wrote to memory of 2032	1900	vbc.exe	30
PID 1900 wrote to memory of 2032	1900	vbc.exe	30
PID 1900 wrote to memory of 2032	1900	vbc.exe	30
PID 1900 wrote to memory of 2032	1900	vbc.exe	30
PID 1656 wrote to memory of 804	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	31
PID 1656 wrote to memory of 804	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	31
PID 1656 wrote to memory of 804	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	31
PID 1656 wrote to memory of 804	1656	752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe	31

C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
"C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9thmkebw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES980C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc980B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- C:\Users\Admin\AppData\Local\Temp\tmp96F2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp96F2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9thmkebw.0.vb

Filesize
14KB

MD5
c70bed94cd0bb914bf6d0fcdab3e9c3c

SHA1
f398891ee5c1db0977e03f2831cd24935a0574f0

SHA256
e8cb34b8784d5b9bb5fd32eee9b13de1d880db455ffb2c24c38f78a2c2ba9a96

SHA512
c1806eaa1b493ba2b4eb0da83c5cb064fcb56269d52d33844a72ada379a8e51a406871802a7f86e4d4d2277b4711adeccb765a42c4bf4bbd7d708e2cec008950

Download Submit
C:\Users\Admin\AppData\Local\Temp\9thmkebw.cmdline

Filesize
266B

MD5
103efbaef6ff98c35316c34ced1aaa00

SHA1
6dcb68c7d038763fbaa8a8fd18e6941d8088cf57

SHA256
afbcadab3b32129d026a1d886eebb5d343ae8559d8f44a939c537ffe8b18b52f

SHA512
e735ad644f178044f49de44a114b1de63c2620105907c9da5346a7aa25bc281a602444b5d1cc4355e91504f0f43ef162461f4df0200e77e78dbb9622bc8f3f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES980C.tmp

Filesize
1KB

MD5
97a74aa6839e88fdfe5eff61c3458139

SHA1
db857e26408aad7dc6c6d667af6262cbdf939511

SHA256
6fc78a938b805cf1828ec80b581813f1e29c7c0c2276a4e27e90789b3ac11937

SHA512
d4e9a986e4fc4e17bff9cc6d35887908c4056fc600eb4e56ccb3915fe5c75d07b9419baf2b15092a760ec72a5bbcf6a2311ac265b72ae32f0a91c042d955e5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96F2.tmp.exe

Filesize
78KB

MD5
f7e3be7a63ec48836bdf639e4b49a55b

SHA1
7bf111935b4a3ff80f42a0b8436d542e67323e8a

SHA256
fdd0f9b53d4a00f37c690f1687b322a1e2806f604773f899f08096d748ec76b2

SHA512
38fa212e1d512ddd5c1bdf5bcf23338650a52127516853f0edbc6dddc2f24f96878eb66b9cfe4963f95dc5c30bce2ba0f1f680ac403a1937c10e597f0715c9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc980B.tmp

Filesize
660B

MD5
03c84fc5e0f3c52804bbae4775cd1c81

SHA1
686bc5f9d1d7199f5fb9ea7c65c71ff38d867b98

SHA256
4223006439667fa5b0caa331e2d6d53541853b91a2d24ccbfd86d76da7665e0a

SHA512
864b56d3338b603dc03c9848fee6f8ed316ec1f3e006b5a0226c1a984d1b266dc69e7e287cc4c13f2b76350ef1b4c37a39bb475f5eb86231c154ce06e1157eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1656-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/1656-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-24-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing