metamorpherrat | 68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603

General

Target

68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
Size

78KB
MD5

81df97a54b8c4fa3dc0bf640a319dd29
SHA1

340a4a7416713b287abaddce099f8d6b02657650
SHA256

68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603
SHA512

63addd28010f6adcfbaa9cbcd62f75a9452a7514697b8053c6edea4466e73b6342ce49b407235034521daeb594456c607de827ff146a271e199e1f8c4fcb7663
SSDEEP

1536:ZRWtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtMI9/WR1Ch:ZRWtHFoI3DJywQjDgTLopLwdCFJzMI9h

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1988	tmpD568.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD568.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2148	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	31
PID 2132 wrote to memory of 2148	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	31
PID 2132 wrote to memory of 2148	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	31
PID 2132 wrote to memory of 2148	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	31
PID 2148 wrote to memory of 2188	2148	vbc.exe	33
PID 2148 wrote to memory of 2188	2148	vbc.exe	33
PID 2148 wrote to memory of 2188	2148	vbc.exe	33
PID 2148 wrote to memory of 2188	2148	vbc.exe	33
PID 2132 wrote to memory of 1988	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	34
PID 2132 wrote to memory of 1988	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	34
PID 2132 wrote to memory of 1988	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	34
PID 2132 wrote to memory of 1988	2132	68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe	34

C:\Users\Admin\AppData\Local\Temp\68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
"C:\Users\Admin\AppData\Local\Temp\68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qrnezdzz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD644.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD643.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\tmpD568.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD568.tmp.exe" C:\Users\Admin\AppData\Local\Temp\68f0c8f59bd000578c48c16f3c05b545ee360814b23be009c928bcaf22463603.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD644.tmp

Filesize
1KB

MD5
b436b594d5368e1373cbedb878877883

SHA1
953b0f840fd1a59f50015c43534b3e25b13abe79

SHA256
8fc897cb9867c8a00b02cf92505271806831b0c703e826b034fbe7728ac8b53d

SHA512
18a5f6555bf6f5c34f6fe3635a89be38fccd396194c19d5e15ae9b76e9208e7a3505f458eb5bebbecd592b191dc4f49d238af6f6b80a6ed2cc25d012be6460de

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrnezdzz.0.vb

Filesize
15KB

MD5
bc93d1cffc4b354044cc416b1a0b1c29

SHA1
c64f172479c75bc7744c6338154824f6bd8fe1bc

SHA256
ca360299cfc7db22b288fb9d53c11731574b7f8bec4343a68da06300212e32af

SHA512
f22aee6d09abdb1d31fd21cc16a0c6ae0909ede079336ce66fe8727925cc3510379e4804b055e9f49bcfa4246d1f2029a74d616c12953b5a79cf48598c8420c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrnezdzz.cmdline

Filesize
266B

MD5
8c0bba49ab45aafbe158814befc69faf

SHA1
dcedaf2e0a6c3b09835a27d3e3b8ec7df3e7ad63

SHA256
65f4b807b2178f85a0f8765317abdfdbe4bae256d5ff1209f2d3b28fc91a8d9b

SHA512
8ac762166db42f89358ac14339d4638cb7294fb1a2731b2af306e86bca222b14974e41b60a346c2ca066af7d547fbc79eb829122f2c684d705c6e7c7a676550d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD568.tmp.exe

Filesize
78KB

MD5
1fa6cf4f8d7657392f7f6535b5063f48

SHA1
8972ec5385aa73e024ebb350122dab4733bfa6f9

SHA256
ac5355d2c6475662801df2096c4680b7dfbacc5183b9f16a33bfc4d8851271a4

SHA512
7cc9fd0bfacb0aecf8f5c8abab5c891ad74aa4ca9b65633c4f54c1aa53db9e748c8164f4fe16e75108c3952585feac171eca8f8201d95ce46b7fcb955a851018

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD643.tmp

Filesize
660B

MD5
3004f7686ab5d7c65bd580fb63b7c1b3

SHA1
201a3ab2c15ffb29fe5dd9237a2a05710c93b038

SHA256
c3019a1955f1b5e93e2942bc305b3a8c83d8ca39439d8eb17e1c44c0128f1fb5

SHA512
62d58a7bad3665db290c03bc28f29bcd23b6269309806552d281e29df92810d1ad8621058a600d32c0e8c9746a299a9e87f745220316998584b3b96fdbc8c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2132-0-0x0000000074EE1000-0x0000000074EE2000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-2-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-24-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-8-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-18-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing