metamorpherrat | 8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdc

General

Target

8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
Size

78KB
MD5

7ecd8605e046c54c694e9dc12b58c0c0
SHA1

84742e2d97d4ced9ce07722a3eee6ca084204a59
SHA256

8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdc
SHA512

e5880f0b791164a7be15fa7c9529b0848b187618b36ad7aabc19dc4ba593a0015622533a8464a841a6c840f7c69236a87f01b1e7e85cc63f329e1b965adecb86
SSDEEP

1536:D4V58EpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6T9/S1YQ:D4V586JywQjDgTLopLwdCFJzg9/G

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2356	tmpB6D1.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB6D1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1976	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	30
PID 1732 wrote to memory of 1976	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	30
PID 1732 wrote to memory of 1976	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	30
PID 1732 wrote to memory of 1976	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	30
PID 1976 wrote to memory of 2300	1976	vbc.exe	32
PID 1976 wrote to memory of 2300	1976	vbc.exe	32
PID 1976 wrote to memory of 2300	1976	vbc.exe	32
PID 1976 wrote to memory of 2300	1976	vbc.exe	32
PID 1732 wrote to memory of 2356	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	33
PID 1732 wrote to memory of 2356	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	33
PID 1732 wrote to memory of 2356	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	33
PID 1732 wrote to memory of 2356	1732	8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe	33

C:\Users\Admin\AppData\Local\Temp\8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
"C:\Users\Admin\AppData\Local\Temp\8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vr5tgflv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB887.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB886.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- C:\Users\Admin\AppData\Local\Temp\tmpB6D1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB6D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8761359d525b466bb3f1356a6810da51d3247e7606961e3b9121c2843f2a5bdcN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB887.tmp

Filesize
1KB

MD5
8764e64400202163e4a4369f0d5b5aad

SHA1
ab112b746988a9f56864cc363d3b989e9bf3b422

SHA256
ea4bda6e356e07348a469a4dc7b3b0cfb207f8f3b8c9c7eb8a1649e685cad353

SHA512
1030f55a067b1d1cc6438c6398ca3c061ef46d930159cbed4f91a937b0da21b50532f157aea74e3070f96dabf703c548ebb58c79916ab8090a22a5b79042ca3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6D1.tmp.exe

Filesize
78KB

MD5
eca5ad03695e0c97abe0deffc252b0f8

SHA1
3e876604718d8eb9fb7632a116737facfe0a0e3a

SHA256
ae04dc1e1f700ba379bcdc0aa0cfca8d6270557e308439584a8afd4d5e97ec4f

SHA512
5dee5ead6169668a9230f143ade0bd8086395848fd038497b466ac94a1ac25d8c557b059efb53e4d609e66d89e61133a7fff699eebea8c50023b65e83b8c26af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB886.tmp

Filesize
660B

MD5
ee6e0a2e28c408e4ef11d9503fb4ecde

SHA1
cc0cb7d141f02717750d99f39b5f8a17381ef75f

SHA256
2154c73fe14be3e1f65552bb9371c3246afe8e569e2733912410b1e373cf1c92

SHA512
09333ce7bdef9d7a01a30cd3e2e1efb806b1198334a11f93d034ed31faf2eead4db6f77bb5f1174f98bc1e4a9abdc952f3a870307931b027d111ae09ab442a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr5tgflv.0.vb

Filesize
14KB

MD5
bab35edc4613f0b9d63d12e02ca32fc2

SHA1
b49598ec78dd05f36df8dd92a721ec0fd3ac951c

SHA256
4350ac0b38c3eb30b461396e6996e9bde6c330329f5cfc34f2496a9781420a2d

SHA512
33f0f71faa263892b57e491cb18c912b138e778e882d7404ced03b6f350f4de49eee89467d90b3279fa3f58fe5e3743577da23f1e29ec02f0fb151af79debfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr5tgflv.cmdline

Filesize
266B

MD5
8a5805fbd10e04d4c7498483037f2677

SHA1
b915923eb89fc4ba8fc72f924326be75b61691b7

SHA256
f0cebc0d9c11eef3a9a7d90e96f6bfbac4aa59e79b99dd5e08b131669aa91c07

SHA512
3df79c149d726ea803b7d87d98d402cdba96fa0bc6dfebe2ccd0643d808dee25950e2a6cf2c3ed7c79075229d285a245d57294ad749e8dda6619b4b2aa8ce05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1732-0-0x00000000748C1000-0x00000000748C2000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-2-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-24-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-9-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-18-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing