metamorpherrat | fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6

General

Target

fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe
Size

78KB
MD5

b76a31ddb76c64289d387a0109d2f5f1
SHA1

7e709a34a7943dac03f37eb38a6782714919cae0
SHA256

fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6
SHA512

e761bb8519c80314abbd73d79561ffddf271938af2810d04c3b2b1c84879b53d0f24ea50628e2238581a3bebdb1ee6690d169e45447ae64cae7be3f740ecb231
SSDEEP

1536:ctHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti9/411q4K:ctHFbdSE2EwR4uY41HyvYi9/uK

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2648	tmp48D3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	tmp48D3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe
2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp48D3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp48D3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe
Token: SeDebugPrivilege	2648	tmp48D3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2808	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe	30
PID 2640 wrote to memory of 2808	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe	30
PID 2640 wrote to memory of 2808	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe	30
PID 2640 wrote to memory of 2808	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe	30
PID 2808 wrote to memory of 2784	2808	vbc.exe	32
PID 2808 wrote to memory of 2784	2808	vbc.exe	32
PID 2808 wrote to memory of 2784	2808	vbc.exe	32
PID 2808 wrote to memory of 2784	2808	vbc.exe	32
PID 2640 wrote to memory of 2648	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe	33
PID 2640 wrote to memory of 2648	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe	33
PID 2640 wrote to memory of 2648	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe	33
PID 2640 wrote to memory of 2648	2640	fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe	33

C:\Users\Admin\AppData\Local\Temp\fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe
"C:\Users\Admin\AppData\Local\Temp\fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifbn2jdw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B91.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Users\Admin\AppData\Local\Temp\tmp48D3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp48D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fff5930f5eab2587edf16567fbcc104a6ae0d01d53a7542178a626b7103e65d6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4B92.tmp

Filesize
1KB

MD5
ae813fe28438f90eaf4102d3d28278b8

SHA1
2ce35bec30a606b1b9d978dfae768f767ecd54f1

SHA256
a6e1f8b102caa8bc60e0dab0f6521bc8061788588f59ffdb15965214bfd3aec7

SHA512
209fc27215d47fa891e89aa8e5f9bd143e4512c5442e8d02f9380b23316d91ce8d6aa0597c527a70ad31f449889d2b3cce120f70bbb267ce2b0896eb55389990

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifbn2jdw.0.vb

Filesize
15KB

MD5
9bf0c822e1dbad064a89b6fea2dc70b3

SHA1
0d0a29d0bd803d4d6a161ad5b5de569f67b534ce

SHA256
07d60788579f9b1b13811e6a2257508813f9271e72ef3aa5210c1e030f3ef4b2

SHA512
97796960eef48728b5931bdec86ccbdea031c5a6b093455c01df2b6b4c72b7e2c6fdd055d6b046ea6b7bec023c1438c18eaed9ee9eeea6ee9845b51b487f83ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifbn2jdw.cmdline

Filesize
266B

MD5
df4f47d42ccaab96b2cff57eb8ea61f8

SHA1
f5bb0c9022ec8a5d54b8b2a360a222075a82c029

SHA256
891af9b6a18d7e55ec1d94765fcd6f7e29c73d893d000189b6c36085a0a75973

SHA512
0d366ed9d1ad96faf58e1ca68e652033d294f26fc3783ffd6498109ad6de4051b4e786e97dbd1ccadfccf2edc8eb88c9fa6e51f4c8183ad6a0c0207087721762

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48D3.tmp.exe

Filesize
78KB

MD5
18217c9356c2ac8b3eb5d80609be9a2f

SHA1
41269b4634145c34b16adf89cce22e3c21585ed4

SHA256
e3de77247cf6152fa40da54ece7e6b778401253be6aca995dafdb122d80325f2

SHA512
75d98a0edf1356cefcd813c9b0e3bfa038a99449b0dd84e14d6e1ff1e4bd094f416f6183927cc319e6fc4222bc5aae228e3ecef66a58c8ab98af2a7ae302660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B91.tmp

Filesize
660B

MD5
0a71d1b2f5045ea7aaf627b492fbc27f

SHA1
5489b877496c86a10e040dd7b9c0caf57c1ad985

SHA256
683c498e581bec1342e897ead353cefe3dee79a39ef2dcbac91c122f3dde2df6

SHA512
dbeb1adb07fa88d9526677ee51259119aa03c281a238505fa5696f79a642e9be04c216a364be9c802b3149d29584eefcd43bb4ef1440ffb991c9213b469b7bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2640-0-0x00000000741D1000-0x00000000741D2000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-2-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-23-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-8-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-18-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads