metamorpherrat | d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578

General

Target

d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe
Size

78KB
MD5

b16ad650cc6eba3617f5bcb383ec8230
SHA1

03557d34425747d10443e8de3ab981b6071a13c4
SHA256

d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578
SHA512

713981e35c07752440424559f616436651a43ebbf9d703f0b35b5671b4a81f577086719d48e0efebdbbbdb42ce357715c43b918abef42f46ab75214db4377573
SSDEEP

1536:qWtHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtc49/81JE:qWtHYn3xSyRxvY3md+dWWZyc49/D

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2768	tmpB4ED.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe
1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB4ED.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB4ED.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe
Token: SeDebugPrivilege	2768	tmpB4ED.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1628	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe	30
PID 1992 wrote to memory of 1628	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe	30
PID 1992 wrote to memory of 1628	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe	30
PID 1992 wrote to memory of 1628	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe	30
PID 1628 wrote to memory of 2196	1628	vbc.exe	32
PID 1628 wrote to memory of 2196	1628	vbc.exe	32
PID 1628 wrote to memory of 2196	1628	vbc.exe	32
PID 1628 wrote to memory of 2196	1628	vbc.exe	32
PID 1992 wrote to memory of 2768	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe	33
PID 1992 wrote to memory of 2768	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe	33
PID 1992 wrote to memory of 2768	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe	33
PID 1992 wrote to memory of 2768	1992	d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe	33

C:\Users\Admin\AppData\Local\Temp\d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe
"C:\Users\Admin\AppData\Local\Temp\d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skmt4med.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB58A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB589.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2196
- C:\Users\Admin\AppData\Local\Temp\tmpB4ED.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB4ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d538b9218e152a11be44a5aa1cc7013cc85a303f8aee6f3abfd103f784160578N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB58A.tmp

Filesize
1KB

MD5
9882cbf206a9c1fac8952b8ce6c88f3c

SHA1
43b1e415c4c461978dda4eb8382368354f4c04f6

SHA256
a1ab65c43038e072baa04a9482ff612edb66b02862e282fc0087054d75a5914d

SHA512
5b5526bb7b5313afc07e1ca89817813d6ae7fbca0c7d471d2b5d736d7f972021c5a2fcf3f2bff251959c9f492fc658563ef2ea8b515ce7e49b426f50cf2e4eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\skmt4med.0.vb

Filesize
15KB

MD5
aa3eba213c2efbc4b84481389a4e6af0

SHA1
0ce586e75b48673822ffc850ec6000d902b6ab26

SHA256
55518c0a723cbfab574937df0f29571fcb39064dd8a032e14a4b837148fd5504

SHA512
18c5088d2c85100d014b46d0118300dcb08103731f41271dd5c40fa037b3b99e21375e17d146d2da13378667d6d74626d41a51557fb2dc852647a54ba37e5d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\skmt4med.cmdline

Filesize
266B

MD5
5cc9909e49cd3acd475ffe8703513aee

SHA1
fac8dba442da648b879c8782a60a9c9536c97787

SHA256
2b1ef16151b3bee5784fc255386eae6ede324de2a90dad8381d757eaa0491a93

SHA512
f11c5c6845eb7a8c8cef65825690acc06180fcfbc6a8ea3d6f9a44ca5f370ab8de14ab903fea1a649fd201fd58d8101f94f100b03a07d3e524bf9c8ea9a0866c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB4ED.tmp.exe

Filesize
78KB

MD5
2dd2635844bf8a634de6c240c00c86d9

SHA1
59ca3d87444159a4f899913a3acd14f4b1cfa0f0

SHA256
bee30ba07ac23980ca43729ff196413af40532a34f4eea280628125c48e01b08

SHA512
e6b946e42ee827b5fb509ff61f67cfe9544e6339966138f1b42b99efd5f26c5a18c20d1417f4366fef312a1cff8d64e472d0edfe089cbd5c747cd898c1d38488

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB589.tmp

Filesize
660B

MD5
f8e46a19e25076534f0be39b8d06e670

SHA1
d708abb2e86dead484f5905cfb744faf281e66ad

SHA256
263436ad78f9a0ada7a455eb2c80eee5bd46e5bcdac5c616ad3e0c03d4eb17bd

SHA512
9767b8fdb1177833d43143bb3aeba593fae31160fc6f96a829dab68d642b2771fb581e3914e9f02f3eeac1b8af32d55edcc24ee5caa30139c6fca92e28b902ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1628-8-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-18-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-0-0x0000000074371000-0x0000000074372000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-2-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-24-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads