metamorpherrat | d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8

General

Target

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
Size

78KB
MD5

12d67b325bddf3008d6a2bbec29d76d4
SHA1

45b0bdace068df0c2e09da72f0159d0b56b1dcc1
SHA256

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8
SHA512

c495859022f6bccea7d6c181383b189308cd064e20fec06ac0a125cc67936868b2bc796d51c52a16030427dc8ee24e9f2bff8f51146de51eb02e144dc775771d
SSDEEP

1536:LCHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtG9/E1dV:LCHFoI3DJywQjDgTLopLwdCFJzG9/q

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Deletes itself 1 IoCs

Processes:

tmpF103.tmp.exe

pid process

2588 tmpF103.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpF103.tmp.exe

pid process

2588 tmpF103.tmp.exe

pid	process
2588	tmpF103.tmp.exe

pid	process
2588	tmpF103.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

pid	process
2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpF103.tmp.exed3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exevbc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF103.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

description pid process

Token: SeDebugPrivilege 2008 d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

description	pid	process
Token: SeDebugPrivilege	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exevbc.exe

description	pid	process	target process
PID 2008 wrote to memory of 2764	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	vbc.exe
PID 2008 wrote to memory of 2764	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	vbc.exe
PID 2008 wrote to memory of 2764	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	vbc.exe
PID 2008 wrote to memory of 2764	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	vbc.exe
PID 2764 wrote to memory of 2784	2764	vbc.exe	cvtres.exe
PID 2764 wrote to memory of 2784	2764	vbc.exe	cvtres.exe
PID 2764 wrote to memory of 2784	2764	vbc.exe	cvtres.exe
PID 2764 wrote to memory of 2784	2764	vbc.exe	cvtres.exe
PID 2008 wrote to memory of 2588	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	tmpF103.tmp.exe
PID 2008 wrote to memory of 2588	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	tmpF103.tmp.exe
PID 2008 wrote to memory of 2588	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	tmpF103.tmp.exe
PID 2008 wrote to memory of 2588	2008	d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe	tmpF103.tmp.exe

C:\Users\Admin\AppData\Local\Temp\d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
"C:\Users\Admin\AppData\Local\Temp\d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cjnracaj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF307.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF306.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Users\Admin\AppData\Local\Temp\tmpF103.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF103.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d3bb75386117779fa5b12555fe04212c4ed6920e8a2dae5af27e4ebcbba6fcc8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF307.tmp

Filesize
1KB

MD5
78fdae9c91359e1b0321c78d77eb5b98

SHA1
542fccf045d3746ab66281a261cf945e411789ff

SHA256
60d10a3fb93c61a72ba4e745d31d15143091ddb00b5bcf26c88b4e7b52db5c15

SHA512
30d6424042bef5aea2e3d6a579d3ad573c59cf949baca6177ea6e186e84e9bc79f0155a0c241c9f5271bfd7ea49fde7d1e41b016262e39a5ac18ac760aa1e91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjnracaj.0.vb

Filesize
15KB

MD5
b9e55684c7eb7ebab8a6c7a892fb0dc3

SHA1
6094679a88acfbec47f0c1e00ab6bf0972034680

SHA256
71a4cec9cde012164db616f2f43e46f31e19d27de3a5af217a9022c71a3a8399

SHA512
02f4ae1f708da5acb50236585321ab4f20da16238a4084c6a5157e23348fbc2420f7ec398435a774970e492fa73ab10ab6d58159da3d9931e23205f1fcee4e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjnracaj.cmdline

Filesize
266B

MD5
b6bc6aaa75575b38c6b6576cd35f2aa3

SHA1
457ac5243de3c46bd676048c35276acfba03b47b

SHA256
7049f504ec1578d3b381d77d19d8e2c5303eb4841e99bc2ca85e2abb95094236

SHA512
fda50e07009bbdee19414afc29cbc9b50a5268ccac4493e04034a9fee77238595c7b65006c5bbfb406579593be1a8b7db4fd96dfb89e9cea379c0c1a6edb73dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF103.tmp.exe

Filesize
78KB

MD5
f77bc6133dbebfd026de06222064ccb2

SHA1
ede3bdecfc8598d7f9b4ea641298079995aa4c4d

SHA256
8dacda682ac1f15b7e0ebe6751a6073228d85b0215a8b9fffaf4f204f2cab31a

SHA512
5bf1f36a7078a66c0976d3626a3cf34bcffdea3ea3809191aa553188dcdd8c305afb011c278dd22132d1f9b2802112982a9f419d35c7162da24ceb63dd52455c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF306.tmp

Filesize
660B

MD5
8c8e0d9c5925c89877ac1a27bc5028c0

SHA1
8d9cc8f1a78e9129a7aed5867ca97e78fc52bbd8

SHA256
bc2c2452cf234cfa078b2c643689a077894a7230a0a08e14733f354a995905f4

SHA512
fd7d908b11e1a78d4ab9ecd6a5ba74589c0ebe1f5bb588170e8e0e47ed5c967f091c94f863866112e0deef6b83d07bc9ddf57690e7f966e429fee374708d3ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2008-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2008-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-5-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-23-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2764-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads