metamorpherrat | f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803

General

Target

f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe
Size

78KB
MD5

41042ed0f3178c9e0f915b31e39b8df4
SHA1

75ecd4ce96a74ed8bd8fb7cd8cfc50f9bab4f228
SHA256

f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803
SHA512

70946c82bd3346d2facbab6fe8515c047fa1d04fdf875fa1167de3515caf4161528e57c6edcaf659ac66b6efd6d613e8d86d36472fe48db7ec4309999ce0c062
SSDEEP

1536:QtHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQtef9/O1T8:QtHYnh/l0Y9MDYrm7ef9/7

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2872	tmpF9BA.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe
2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpF9BA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF9BA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe
Token: SeDebugPrivilege	2872	tmpF9BA.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2792	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe	30
PID 2248 wrote to memory of 2792	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe	30
PID 2248 wrote to memory of 2792	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe	30
PID 2248 wrote to memory of 2792	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe	30
PID 2792 wrote to memory of 2736	2792	vbc.exe	32
PID 2792 wrote to memory of 2736	2792	vbc.exe	32
PID 2792 wrote to memory of 2736	2792	vbc.exe	32
PID 2792 wrote to memory of 2736	2792	vbc.exe	32
PID 2248 wrote to memory of 2872	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe	33
PID 2248 wrote to memory of 2872	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe	33
PID 2248 wrote to memory of 2872	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe	33
PID 2248 wrote to memory of 2872	2248	f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe	33

C:\Users\Admin\AppData\Local\Temp\f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe
"C:\Users\Admin\AppData\Local\Temp\f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\isid4stz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAF2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\tmpF9BA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF9BA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f531f067806086aa5d9b7dcdbae2a329ab210beb5d8828ec1ef14d3f97e23803.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFAF3.tmp

Filesize
1KB

MD5
9ca9eec7660de4876691ab0dd1fc3a47

SHA1
9f369689e654bea6dcc5cd28344eb60bcbc3def1

SHA256
5672d1e3c1dedd8d328094ef2e645e6303a8608dc977ac00947bdcb0bd5b9d2f

SHA512
9668832c5e8e19c2329e698d5d8de0c651192f8fff89352fa3ab018db8a18569b4842d9afa76df6b9bbefe1215b0487f186f6c8a0888a07832cff36ddd7d52d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\isid4stz.0.vb

Filesize
15KB

MD5
ef990483a6deea7bcda8adf9f89b7ee1

SHA1
fc33709656aa59fd77cd63bb4b00347edc24d3b2

SHA256
2c180ea57729fd45148f1620fcdb5fc532b5dd71963d51b44cfe478d990171b6

SHA512
5f888c4d1415aced5dbbc08f07ab1d0c974c0471d3c17596ba4a4fc7684db4dd0563d164fde943824f1759de2bfccf3d214af310f4ee695433075f99592d3d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\isid4stz.cmdline

Filesize
266B

MD5
e7b71ec66bb021ffe69735d8cbfc3053

SHA1
3d5498f811727de4635051045603bbe18f93e694

SHA256
7384ed628a816ed09306841500fdc83e2ba19ecc81701635d79c331df1c416d3

SHA512
0cca4e7d7ab40bce1aef15dc863f9e0e894d23314279ff4e5d556c03a63e0c47970e1f82e0e9f54e1e886149dc8d0b7a4f0ab9bee19c22f3f2e71d903eb31604

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9BA.tmp.exe

Filesize
78KB

MD5
842f3cc4c1d97c183608ddc0cb9dfe39

SHA1
30923d06502c5919f2e2f8652262239b9c044b41

SHA256
1bd5bf6a1ee1cbe96048df7fb37ae8c4ded3c7fb725d9f509d2b261bbd7c9586

SHA512
ddf0af9d28b402af4cece019d5771af8a2663c29e5efea8a2b7ca9b6a6ca17839238c9d9f72a1dfdfc78106217d5ece29e1e1687c38eef66c07d7fe3466c8f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAF2.tmp

Filesize
660B

MD5
2694fc411bf4cfdfecf6a15664d06e53

SHA1
8f8b31aa7bec894cd971457c5131e8d75c56a2e9

SHA256
e9b7b9fb902c785c50a04918e79905f032f42f53005c82f7cd8f548ad28f3fb0

SHA512
80ceaf770e7d8d04de4a148ae77936d79c83bfd7f60acf0c64166f6c55979c4ec6cd0cb0bb8d7261ab91cdf1e2b7530c165ca6f585657a9f335a6c510dd7f0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2248-0-0x0000000074A51000-0x0000000074A52000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/2248-2-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/2248-24-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-8-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-18-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads