metamorpherrat | cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267

General

Target

cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Size

78KB
MD5

0a2ce31e8654f4c3ba6d81bf7ac51e00
SHA1

a0844a42d36b88b78074e967f3f946761b48ad28
SHA256

cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267
SHA512

f8d20f0e97e3bc01c4480682f961378338a8d26f16a4b071eb572033ee0028920d006d5b78887c572b29eccdc2e491ee3dd87dc86ebf139dded1b9330ae0fe7c
SSDEEP

1536:OHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLQ9/hg1Kz:OHFo8dSE2EwR4uY41HyvYLQ9//

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2492	tmpC0A1.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC0A1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
Token: SeDebugPrivilege	2492	tmpC0A1.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2340	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	30
PID 1652 wrote to memory of 2340	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	30
PID 1652 wrote to memory of 2340	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	30
PID 1652 wrote to memory of 2340	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	30
PID 2340 wrote to memory of 948	2340	vbc.exe	32
PID 2340 wrote to memory of 948	2340	vbc.exe	32
PID 2340 wrote to memory of 948	2340	vbc.exe	32
PID 2340 wrote to memory of 948	2340	vbc.exe	32
PID 1652 wrote to memory of 2492	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	33
PID 1652 wrote to memory of 2492	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	33
PID 1652 wrote to memory of 2492	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	33
PID 1652 wrote to memory of 2492	1652	cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe	33

C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
"C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5_ul9sg8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC19A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- C:\Users\Admin\AppData\Local\Temp\tmpC0A1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC0A1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf2f993cc96b70cf8e965dd1175460c4535fa6b839f8a88a617ba3fea46f4267.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5_ul9sg8.0.vb

Filesize
15KB

MD5
ed6e25af500062cd62614c3a7b04c55c

SHA1
bc217f517ebd72c46057a015b7fd1e0196eed231

SHA256
aafd8022749cf3ae7620673d03bac337617a5532c83a56d8e2f428bd9759e3ff

SHA512
b28d27f519670d176ffae73b250ec9843351cadeaf30dcaa5c431b95a1c79eee49d4e463dac8bf3094131a922b889e558984044a9a5c0a5560bdba95a16e5054

Download Submit
C:\Users\Admin\AppData\Local\Temp\5_ul9sg8.cmdline

Filesize
266B

MD5
c55bfd39834d9b5be11ec4914b695d2a

SHA1
43793a95d1b3289acf93ae057f0fd3d402c2ce8c

SHA256
5b860340d17e89143863d90c19e5ee5138f6b1268f2258ce246b62c7d0e2c2fb

SHA512
706fb2a3a0ddf2b33333c36fef66452ba119f1ef14cf574a8f3bcb616d7e61dfcb76db2d638947a3dd3b15a8bd6d5d8e2581414dd65845df331617246c235e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC1AB.tmp

Filesize
1KB

MD5
e4b660b08159764ea5ffcb684471d2cd

SHA1
6aaa3b9f1ddb74d68fd6c6ca034d878f2e9714c9

SHA256
2a0d1d499fa52bd307e527b98f2a51b4bc9d8f883943745e44603937ab2bee16

SHA512
1286a8e174498e502ba018ea3f653f2c3bdd7300b51e8e66ad227a89df4c41234d27538a2bdf2856c1301de85fec0234fb3de8ef9c756f987e6bf1ffb61800d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0A1.tmp.exe

Filesize
78KB

MD5
feeffff4b29a405c5b597a0f781c2e46

SHA1
0fe7e73bcbfdf10a95df2b0f0b3f0adf9ad9694e

SHA256
5c274da40bafcde7f55f9e73c8d26bf54c15cc85f03e76d4ef22adeef5995455

SHA512
168cb3e571fd60b6a2fa54d604997dff0fdd51873222ad1e9faf194dca36a67336e7ba94008e46d4f9ff74977874ef694f605b2ad35a8e1e7e8ff8f7378b7530

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC19A.tmp

Filesize
660B

MD5
c359dc5926633ba5fa94c68ecd6a4c36

SHA1
2247a5ce51dc4d5dd00caf2618314242ce841183

SHA256
794816532dd9274b00c33d6a64243a02927e0ae0edc5c6184ba6c8e55243efb6

SHA512
1cbd14fb4be6da975cc395ac3ef5cc2fc3f924dcbddbc2af4fc6bdaed28295f7ffef8e6e2b8e1fae8233787a141500c897499ce3d6906e53fad668c52275563b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1652-0-0x0000000074361000-0x0000000074362000-memory.dmp

Filesize
4KB

Download
memory/1652-1-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-2-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-24-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-8-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-18-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing