metamorpherrat | 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d

General

Target

8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
Size

78KB
MD5

f13f1d01a28fbee71a5c6a16f4122970
SHA1

606f92dfd349b012ec54f9912192ee6d4942c857
SHA256

8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d
SHA512

1fc59f8232612d5d3810aab9f0f259ac4de5ee0e72ce1e8b8a27f8ab4da9dae98e69d7fce3baf13a6dee65f3513a20ebcb1882581fab96224d10f5b72fed00e9
SSDEEP

1536:l+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67Y9/PC1aw8:I5jS7JywQjDgTLopLwdCFJzDY9/E8

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2684	tmp8768.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8768.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2948	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	30
PID 2496 wrote to memory of 2948	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	30
PID 2496 wrote to memory of 2948	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	30
PID 2496 wrote to memory of 2948	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	30
PID 2948 wrote to memory of 2544	2948	vbc.exe	32
PID 2948 wrote to memory of 2544	2948	vbc.exe	32
PID 2948 wrote to memory of 2544	2948	vbc.exe	32
PID 2948 wrote to memory of 2544	2948	vbc.exe	32
PID 2496 wrote to memory of 2684	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	33
PID 2496 wrote to memory of 2684	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	33
PID 2496 wrote to memory of 2684	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	33
PID 2496 wrote to memory of 2684	2496	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe	33

C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
"C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7gjp6z0q.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8824.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8823.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmp8768.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8768.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46dN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7gjp6z0q.0.vb

Filesize
14KB

MD5
eed6958d84c5086057c0aa4dc3847298

SHA1
ebdbb849b2d8e1bbee0757c25b46dace24b9ce84

SHA256
0551692a88eec66de44dab953b3621c21d4e4b69d4686833d3fdd9fe63677331

SHA512
620e967b7cdfa69afb38045777c05d78f9865e90dbd70748bb2ca9dfbfc7e6ac47d30872e18e9543b6540b05508a20b30518ed7cb32e7a2f9dab9c5233e3f8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7gjp6z0q.cmdline

Filesize
266B

MD5
77e2cc07af8d018917986590a0890eae

SHA1
1c055c7dfc454f0760a91d4326f3d075a2c37aed

SHA256
00a95dd199bd09996975815b8f6659d65ebc7e3e5343ddcba349c47361ad20a6

SHA512
d442c85817d5c9ed4b0a5e030fd8672b34ee585b41cde6a523a4051a29b7643091bcb964410e4d2b9320d9a83117470307432ac0f73e09183554a65e875c4eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8824.tmp

Filesize
1KB

MD5
0d5a4b98212f54fbf783f218bfd5f340

SHA1
9530a98dcadbe5222438bb40d0e3230ba4124737

SHA256
7dbef6ab3c70df2064fa4907f8b76a4988e58d7946a26f2193309509e9d700cb

SHA512
559f154480251fe31bfcbdcfd7d8086d8a8a2bed736c8a17a8b5bc97289d54b27637677fd62bd25a913683a346baf5b34bdf651b07eabc6839c0da3e61fb4bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8768.tmp.exe

Filesize
78KB

MD5
e4c14a7fceef798444b092d8b1662d91

SHA1
6e85fd3ac1be561927e99581e2373446c9bb445a

SHA256
ed6ebf3051326dae9b3198ca14c20c5ebd9bca164ee053ee97068b737c523e1f

SHA512
301a57824ae1fcfdffe41393d7dbb7ca8dc04c69ec15d68fde03e695ad03612b05e82fdbbdcb0d68358a4ba5a959dde3938e9465694ae8e5a4bbd06312b6a1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8823.tmp

Filesize
660B

MD5
b12310d318977c5767f37fb74af0f25e

SHA1
d916a57df3f00d16b81ef47794a2ab3f956e2f89

SHA256
343b758d79593b362c5c8f66d5213093a7a250465747c047d3caf6b054a1da5d

SHA512
34f8b04564fa7ab3a7ab3bee544a71bf291fc4d00e00f3f6dfbf976e4d7d5fd49ed56a01612881631885f7cfd335ca279256bbbb8798b9e9b5d4cba45c5f5eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2496-0-0x0000000074411000-0x0000000074412000-memory.dmp

Filesize
4KB

Download
memory/2496-2-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2496-1-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2496-24-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-8-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-18-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing