metamorpherrat | f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1

General

Target

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
Size

78KB
MD5

d89baa0d78cb0f750545ae620fda0ace
SHA1

ee19389ec8539d4783f9a3a196d846707f161074
SHA256

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1
SHA512

5c6226b39d1fd920c2fcf1ba865a6647ffbec2bd432c67f76649047a2c7af6ddc032eb1228a873cf3bf7ebae0d957e446390f9e10bef3752a15f2c89ed3b8256
SSDEEP

1536:BsHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtI9/X111:BsHFo53Ln7N041QqhgI9/V

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpDC3B.tmp.exe

pid process

2656 tmpDC3B.tmp.exe

pid	process
2656	tmpDC3B.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe

pid	process
2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpDC3B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpDC3B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exevbc.execvtres.exetmpDC3B.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDC3B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exetmpDC3B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
Token: SeDebugPrivilege	2656	tmpDC3B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exevbc.exe

description	pid	process	target process
PID 2628 wrote to memory of 2296	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	vbc.exe
PID 2628 wrote to memory of 2296	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	vbc.exe
PID 2628 wrote to memory of 2296	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	vbc.exe
PID 2628 wrote to memory of 2296	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	vbc.exe
PID 2296 wrote to memory of 2960	2296	vbc.exe	cvtres.exe
PID 2296 wrote to memory of 2960	2296	vbc.exe	cvtres.exe
PID 2296 wrote to memory of 2960	2296	vbc.exe	cvtres.exe
PID 2296 wrote to memory of 2960	2296	vbc.exe	cvtres.exe
PID 2628 wrote to memory of 2656	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	tmpDC3B.tmp.exe
PID 2628 wrote to memory of 2656	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	tmpDC3B.tmp.exe
PID 2628 wrote to memory of 2656	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	tmpDC3B.tmp.exe
PID 2628 wrote to memory of 2656	2628	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	tmpDC3B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
"C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4u_8tgs4.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE1F.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2960

C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4u_8tgs4.0.vb
Filesize
15KB

MD5
34f91d427367e80aae4c1efb1a2d0645

SHA1
3832144bf21fda73fd38775f07740e99a0c079b7

SHA256
5017bc19f9e59685c1a30ef062bdcb162f4c10574efddc657f546c3b81902e7e

SHA512
427974b878ad2c95b12455667d41e9ad29c1cbfcecaad18d53a6b770308e9e85e485c8f1005683108a498b3b73c5ad3292881b5502eaf28843139705e6911fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\4u_8tgs4.cmdline
Filesize
266B

MD5
4fdf7e70caf1be5e2c4b7deb1cc1730a

SHA1
e50bab44dcd2af6a41b105352ef9eebf74ad465e

SHA256
ecb20b701fa0e797ea1277f909e28311cd527967cea2d87a6e2a88c0de819a11

SHA512
154b64f6130917c04c8cd34f26a01cc6dea9a825b9749c8bf3e6e05e4bd1df9e4f3f75bfbb233fd4f8be4a7af46a2b17ac72d718b37f04d8f9c338a4c46c737a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE20.tmp
Filesize
1KB

MD5
c093b71502f29be16e9fa0a76076d81c

SHA1
18c90201d69e7a11f51e4a0b1a90061641225b67

SHA256
283cbc4ab3f4b7d603e4b53e9f2fdad5d051f09d6471d6403a79e7616193505e

SHA512
8035f5cf700a725be59d706f572130ef1b3b42cee21d15f3d46ae7a455e6a85587cbb08535b03599b8f25b94e223c55f682e79d5c7ff72d1c420ce2d8743c8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe
Filesize
78KB

MD5
1b220dd9912433ed1bac64875d11d8bb

SHA1
92fdc333098cfc406d2a3e0f9a2b851dee6595f5

SHA256
51b7ba6929d759583ed659876b46cc803a2e30b5cd52a26c3ee51129e534c45a

SHA512
0acd9e5cac58d583e2243ce08b6704b75bcba0ed4b97ee3c583b47d25b3370bafdeab028b4d35a38bc1bebacd9ccea6c00f13f43c7cf756657c33cc997ede3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE1F.tmp
Filesize
660B

MD5
e4dedfbe6b5db4630e9f72c0af2cd117

SHA1
fffe69c777c1bf4c914bd65cb585f06df8481080

SHA256
1bde20377664fb85d01c2af81e99e0d1055809c5b716820ff5d494e104c7c234

SHA512
7d0ea196826714e58dc6b93a53cc8931586d222ad925b8535e2987aae90257d6bb222976e2312a6ca9016fbb0c706033954eba57dede6822a25620f9e8ec3078

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2296-9-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-18-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-0-0x0000000074EF1000-0x0000000074EF2000-memory.dmp

Filesize
4KB

Download
memory/2628-1-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-3-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-24-0x0000000074EF0000-0x000000007549B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads