metamorpherrat | f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1

General

Target

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
Size

78KB
MD5

d89baa0d78cb0f750545ae620fda0ace
SHA1

ee19389ec8539d4783f9a3a196d846707f161074
SHA256

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1
SHA512

5c6226b39d1fd920c2fcf1ba865a6647ffbec2bd432c67f76649047a2c7af6ddc032eb1228a873cf3bf7ebae0d957e446390f9e10bef3752a15f2c89ed3b8256
SSDEEP

1536:BsHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtI9/X111:BsHFo53Ln7N041QqhgI9/V

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe

Executes dropped EXE 1 IoCs

Processes:

tmpD1C7.tmp.exe

pid process

4396 tmpD1C7.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4396	tmpD1C7.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpD1C7.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD1C7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exevbc.execvtres.exetmpD1C7.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD1C7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exetmpD1C7.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3096	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
Token: SeDebugPrivilege	4396	tmpD1C7.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exevbc.exe

description	pid	process	target process
PID 3096 wrote to memory of 3460	3096	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	vbc.exe
PID 3096 wrote to memory of 3460	3096	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	vbc.exe
PID 3096 wrote to memory of 3460	3096	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	vbc.exe
PID 3460 wrote to memory of 3152	3460	vbc.exe	cvtres.exe
PID 3460 wrote to memory of 3152	3460	vbc.exe	cvtres.exe
PID 3460 wrote to memory of 3152	3460	vbc.exe	cvtres.exe
PID 3096 wrote to memory of 4396	3096	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	tmpD1C7.tmp.exe
PID 3096 wrote to memory of 4396	3096	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	tmpD1C7.tmp.exe
PID 3096 wrote to memory of 4396	3096	f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe	tmpD1C7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
"C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jjt2m8am.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD30F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A2D578840B42458F4C7CF74E587E8.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:3152

C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD30F.tmp
Filesize
1KB

MD5
3b401dc17ce5caf641e78402091c1890

SHA1
4e2164c453faca4aa15cb30b7630f07a83f7524b

SHA256
8b9369d78fe66aa407ebcfcebc447ec0268a38cc69d8eede62c2b83887e0e9d4

SHA512
e8774a92aadaac7f3e963f315076edb794ba4e9bb65bcf2a20b096f5bf062b8aaff7b929923106804471637f4648f45c5faee21b69290dc24a96faece9766e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjt2m8am.0.vb
Filesize
15KB

MD5
25434663a57ed75713058610213d949d

SHA1
c842c0c159ff0fb6863efffb11f8accb3237b671

SHA256
bda5728f5d480726935548116ab53e8ee4ba49654ba5aa6a40e640e6707f556d

SHA512
a55f0ce1e68b3fe50db794ade96525efadb2ed31a93b11656ec0a682d5b55833e445d74427b1d1c2f48e4b5c3d0b2adff847c7ef4d8690cf504b5dc5165abd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjt2m8am.cmdline
Filesize
266B

MD5
4b3e94e4f23825fd826fa5ecf0e02013

SHA1
e7cdef646f6d3e25dfa3a47d093a26bb3fc41a6c

SHA256
8d3ec21b97beed94bd2e1bfe1d46ac2ecd6656dba064e6cf9bea64c2863e80cf

SHA512
b7fbc3c919448d4241336a7028394ada6eb04908001f0af395a89ff9634adf64c2e29fe9a8d17ab6b6e2ae7b3fe8328dfb49b6b8f98c716385beedc5f3dc3216

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe
Filesize
78KB

MD5
0222cd75b38371d8df1c7347c03c1d54

SHA1
e45bba56e6274121cffaab64ea844c5b471ab646

SHA256
fc6c82ee89f95632f88a895c825820c55397fb61a92947c820dcb9b28c4c0c32

SHA512
242270b3088587cbb9ef49d6795c60c8d2abec8fa158de89c2166e83b00b656e0ebeb242a8305c51dbb7fa2561e61ca413c28b72c42ccb7f77ce8ecf4c289164

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7A2D578840B42458F4C7CF74E587E8.TMP
Filesize
660B

MD5
d0c8335d9bfefd2074202df4a729e3a1

SHA1
f15fae1163b54c9c9ecc5b444b3d53d3f075d74e

SHA256
31706f48cfb75bc5da66b47d47796e0b06fdb421325fd0b953e7fa4543802678

SHA512
dd883e669f3aa13b503af91aea5d5a1fa176332f89b184646865d75de8d6a5992f4231c4169b4da0a2e3d16459eb8f3be8f057165763444679733cd7442f5e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/3096-1-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3096-2-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3096-0-0x0000000074722000-0x0000000074723000-memory.dmp

Filesize
4KB

Download
memory/3096-22-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3460-8-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3460-18-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-23-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-25-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-24-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-27-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-28-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-29-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads