metamorpherrat | 546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5

General

Target

546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
Size

78KB
MD5

326df025d844f01aa9ba686a47ee3ea0
SHA1

424541dd4ab86075b4a80898eb14f25c099bfe30
SHA256

546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5
SHA512

5f6af293ad57891f8c9573c91d78b435ab6b853ffdb983f049e66aa78e320872df04f5c3d43acf05cdf0df109976e4a39feff7b4ec5b29b13250711629205e5b
SSDEEP

1536:StHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtx9/81vr:StHs3xSyRxvY3md+dWWZyx9/6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2852	tmpF306.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpF306.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF306.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
Token: SeDebugPrivilege	2852	tmpF306.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2752	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	30
PID 2424 wrote to memory of 2752	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	30
PID 2424 wrote to memory of 2752	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	30
PID 2424 wrote to memory of 2752	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	30
PID 2752 wrote to memory of 2948	2752	vbc.exe	32
PID 2752 wrote to memory of 2948	2752	vbc.exe	32
PID 2752 wrote to memory of 2948	2752	vbc.exe	32
PID 2752 wrote to memory of 2948	2752	vbc.exe	32
PID 2424 wrote to memory of 2852	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	33
PID 2424 wrote to memory of 2852	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	33
PID 2424 wrote to memory of 2852	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	33
PID 2424 wrote to memory of 2852	2424	546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe	33

C:\Users\Admin\AppData\Local\Temp\546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
"C:\Users\Admin\AppData\Local\Temp\546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kivzvynb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF44F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF44E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\tmpF306.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF306.tmp.exe" C:\Users\Admin\AppData\Local\Temp\546fd2bf65df6803ce22ecbf935b3203926e891ee94f607992e6d868356c55d5N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF44F.tmp

Filesize
1KB

MD5
ed52a55cda26075bd1701be7b33d4edf

SHA1
8458f65fbf8fa4f8bb2a23dc7bb070dc73890882

SHA256
d68f978e02317f27f3e76d2b4cea281e8282bba2461d1a3b0d1a1b0ad76511fc

SHA512
4483d2c00a3b46c64d583f477238b2d9c709876f00b00f82a3f203bf8dd05eb2a56ea1e2ce508488a84796395a24c13b870e1e072e4c80044d8c5e3823fd1bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kivzvynb.0.vb

Filesize
15KB

MD5
78468cfe21e4907e142445a8de55a7bf

SHA1
37fcc8277f3ddbe64256159d6b5516130c3389cb

SHA256
60ec434b37ee7b78d6f9bf3359efb8407236e3f75b17d455cc312adc29642356

SHA512
7eccd9a61995bbfd51cfeb9a5d7d32f7b25ffb1857a3e84bae2a0c9039b65115f9210764d3a224d8bce453db6d601559d467115c6972d65479bf87aed9c8ddca

Download Submit
C:\Users\Admin\AppData\Local\Temp\kivzvynb.cmdline

Filesize
266B

MD5
bf978e3246d459a3bc10a7add3955bfe

SHA1
5055fcbd06a5cb0a31baad8297169fbe994f0be1

SHA256
8dfc0d678c381a84295ac3724f463786894b9ea5db60d31135f1e0883c1efd46

SHA512
c2f7f8e6f7d967667258b4b8bc1672c7d6b342be13035dfed1c99825ca72e8f2eec8c9c2ad05c74b72ed5e32f2bec45424d6a7c5817e471c7aac76d07f3f7b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF306.tmp.exe

Filesize
78KB

MD5
e5148df450db1e694589040007140072

SHA1
961028ac95ec2a6a6e537219d6ee335e5591233c

SHA256
a4eaa3504fcfdb04ca770865caa7a198bb345677cbbc49089942603bd548c955

SHA512
b82bff0ad1addf99c4b864419d90f1b35462ad98ceb400577d3246b2deac0151ca0b3e1e61c61c975459876267f43bb7341b5b5869dcab156a84fd2b110b30fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF44E.tmp

Filesize
660B

MD5
54d8cf81ba581fb42a8c093cf76116fd

SHA1
3f8b98ad57ccc1706bbb65dd2b68bbd43bdba09a

SHA256
a20db41ab8e8598a1a5b93b1c900bd205613fdcf1a5dd07bcb82bda79acce4fa

SHA512
5a08686ea6ccef051a72be59ee067c6a9aeeb3f5f014cc3ca5882dfcd5a5ed166009c08133eabc1fb7bf1ccff62114d3d312a2d96bdca6b74943c7c3b367247e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2424-0-0x0000000073E71000-0x0000000073E72000-memory.dmp

Filesize
4KB

Download
memory/2424-1-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2424-2-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2424-24-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2752-8-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2752-18-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads