metamorpherrat | f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d

General

Target

f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
Size

78KB
MD5

54f42b17ddd2252d4d53db327a6c5fbd
SHA1

db7b765012e7f85a6dc3db7aa12a314cf07c0858
SHA256

f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d
SHA512

0b6fde744f424c0e4dcc7c971f9eb4c6c025847fac72b89cd1590e620bc04d4c48f05681bdda89b93b88e522cd29ff219ec631bd15ad42bc50161287f24f7c3f
SSDEEP

1536:2uHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLKk9/A18O:2uH/3DJywQjDgTLopLwdCFJzLKk9/6

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2688	tmpF0F4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	tmpF0F4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF0F4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3060	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	31
PID 2248 wrote to memory of 3060	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	31
PID 2248 wrote to memory of 3060	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	31
PID 2248 wrote to memory of 3060	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	31
PID 3060 wrote to memory of 2768	3060	vbc.exe	33
PID 3060 wrote to memory of 2768	3060	vbc.exe	33
PID 3060 wrote to memory of 2768	3060	vbc.exe	33
PID 3060 wrote to memory of 2768	3060	vbc.exe	33
PID 2248 wrote to memory of 2688	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	34
PID 2248 wrote to memory of 2688	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	34
PID 2248 wrote to memory of 2688	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	34
PID 2248 wrote to memory of 2688	2248	f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe	34

C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
"C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wyil4xv2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1ED.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- C:\Users\Admin\AppData\Local\Temp\tmpF0F4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF0F4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f653e3af3d80404a4ed3c499f4b1826b1f7c5799f68f114e984c197e461f0c7d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF1EE.tmp

Filesize
1KB

MD5
ff6bd7b0d6597c3565a2440640681b26

SHA1
38b4d0d5619b69029c6fe928b22818a36b6cfeb9

SHA256
40c154658aa358448aa8e80a34c5e1d7af5eecc75013ae1c40282a60a530f5f8

SHA512
a044a2920b86255214baa57b661f0d3b7e3b4296ae7e8d3f08b0521702ca4880618d7f3c6fdf95ee2d69c1204f9f7863aeceec24d6a42afe2ad4ff2af866d178

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0F4.tmp.exe

Filesize
78KB

MD5
c89398d050bbd6a496a4059f62c3a048

SHA1
5c8e4f728dd77fb2233012e9d0725d0dc54485db

SHA256
d07dc9c7abde4badd62ec644c7fb7e2b1f77fafe6ea4d0a28678ece8e904fc9d

SHA512
9e0a11ad717b9f09f2025c9f6273c4c978af2ed2b58e1150bd5e216ca232327b31a77eea35b05c530e513ae7a15c068e111f5d99636c0fd06b57effd02c59daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF1ED.tmp

Filesize
660B

MD5
60b1684eec2e47a7061a80a46f810749

SHA1
23821052ef5d0a0adbccf4951afd8cdf68e50407

SHA256
1ba33fc6dd55fc897fe0c33ac3f447275e4a48a7a8e96259194a0f3ce59e2475

SHA512
39c1e9b225d7b7ad92129e908f2203afa7a9e7886fd5b508f8b7ca9f758bc8d8fdbd57ecdfc2a34cfb0b889ab236a2196fa83bd628b24e5d313b195833be73b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyil4xv2.0.vb

Filesize
15KB

MD5
daa8549fbfb4542e035d9b91e1bea7bc

SHA1
6cdc406bb54773ccdfaad8945d611bec5b5b2608

SHA256
7593b7c79853b7543f90f179c9a74ba9a3553f5a7e22af9680a0c777897c9bb9

SHA512
bff8a01320e3d564dbda167014cae6b804335bd77fb88b7b50f0c3e79edefeeb4a07f63e828f43aa7192ace0ea7565320a1cc811be1a0c3209d3286f869eebf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyil4xv2.cmdline

Filesize
266B

MD5
354337aa57cd31438b37e2069ac339c0

SHA1
b6abf45222e94f482046ce6493aecdce975e2cf8

SHA256
4da4bff28782d8f96d637133b762476221b68ca16df1f7e3d93c57fcfc930563

SHA512
696fd0320d6fb6e91d12c1e4c1f826b8954ed3d5a0ef312c105edd0c27c25509b8cb6812a3e56474572707726881b5da9796468fdf475d983e51239360f2388b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2248-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-24-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing