metamorpherrat | 12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f

General

Target

12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
Size

78KB
MD5

d4e4200b05c2554426faa4b79fb18de4
SHA1

819a07e23eec45f244cfc87fea29a76363376e4b
SHA256

12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f
SHA512

88738fc9124540b11858f06229b005275fd90430387c952e6afdeb1b81e0cfce3ed758b8ce58f3984a61e4b9b1c724d00abca561bbeb017700517886fe11ec19
SSDEEP

1536:URWtHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLk9/71Bm:URWtHYI3DJywQjDgTLopLwdCFJzLk9/a

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1848	tmpD3B3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD3B3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2324	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	31
PID 2364 wrote to memory of 2324	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	31
PID 2364 wrote to memory of 2324	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	31
PID 2364 wrote to memory of 2324	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	31
PID 2324 wrote to memory of 1812	2324	vbc.exe	33
PID 2324 wrote to memory of 1812	2324	vbc.exe	33
PID 2324 wrote to memory of 1812	2324	vbc.exe	33
PID 2324 wrote to memory of 1812	2324	vbc.exe	33
PID 2364 wrote to memory of 1848	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	34
PID 2364 wrote to memory of 1848	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	34
PID 2364 wrote to memory of 1848	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	34
PID 2364 wrote to memory of 1848	2364	12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe	34

C:\Users\Admin\AppData\Local\Temp\12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
"C:\Users\Admin\AppData\Local\Temp\12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvmsnekz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4CC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- C:\Users\Admin\AppData\Local\Temp\tmpD3B3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD3B3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\12642fb087a03437bf5d9d0174d7d57c0e1a9b3739bf0278faa0e669ab57304f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD4CD.tmp

Filesize
1KB

MD5
dadce8210742d134bb43e69a8dd2450c

SHA1
927672dd8972b15e7a89c83eefc13aa0d28b602b

SHA256
e0f1017af54abbc0a5104161c5ef9e886c06327dac7112aeef1ae987e8fdc80e

SHA512
cb57368a16e19096e2f004cf4081cbf65836884f60807da85a9c18dd5abeab4d5f5c906a44c6c05b4623d19b2d59fc0505b7e42a98b6f75b8cb65e916936cb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3B3.tmp.exe

Filesize
78KB

MD5
734b0aa1f35a7b2a41ac920d648789eb

SHA1
d5334bcce6b602ff39c160b450540b969415df69

SHA256
a3e103231d8bc96f73cef3002fe034c7cb8d11a5b5e883aa4d2c9feed782cf4a

SHA512
24accd9e35996595998335408089003b70bcb34f3509d297b75fc7d93fbe754cd0101de2ee069734fe3b017ca64042a1ff1c8b93083b4332a8c99b8691b7dbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4CC.tmp

Filesize
660B

MD5
b35414ffcef008f123d3444445135840

SHA1
e80c73ec8dfef84d688384f1b38b20b23a674a0f

SHA256
7a7a2469b92e57860c94b7d8c592481222984ed8ddac0a22d2a0ffc4ad709620

SHA512
2c35eb41e27e814e8e7bdcc8b583d3fae559fa3e0598b6b45af9b2083c3e090d3c31ff41560751c4ec31f51115accb13f456403ee4ab1625143921ca7bb3c5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvmsnekz.0.vb

Filesize
15KB

MD5
987bca8c389da313e9664320501078c1

SHA1
079db424ca67490edd08dc7bd8728277dcfc9a25

SHA256
208f0090b65941b293ec7e3fa7351c4148db415ef30b1599b9248e480c01f941

SHA512
4963db4640e1995d608834102325587f335078f7f277b7ba8058e370f664d61f1a0bc6ca19fdcb3bcc7e4034bd80dfb747d8db5eeef5450611e231488e10c81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvmsnekz.cmdline

Filesize
266B

MD5
b3c23f1f04aaa806977f8ac1e6e143b4

SHA1
f02ee54db8c8936e7124ab53358b5625ab509379

SHA256
29f74a625e92eeab14040b143b185fb9a3d32266c31e0fec327f83fb5f605b31

SHA512
83b1903be6e350f7781a31e41cd1e9612e9179c99cc03bedd076966db32f4ea03f2700797c9d7240fac366f7b3a95eb1a2d5efcc8f67ae260128d3fe214e03c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2324-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-18-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-24-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing