metamorpherrat | 1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a

General

Target

1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe
Size

78KB
MD5

b8af94087121b4417657ef8867ab51ff
SHA1

d4b1868f9c6e746bb494875d749c20cea9e2b886
SHA256

1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a
SHA512

e4439310630b0a90667f1049915925e5be4e4bf2a629760a0a4b0d560f37caa334696077bce2c52bbbee5fd98da0f470f8228c9d925bf777b4af46bc846224c5
SSDEEP

1536:jPCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt39/K1DN:jPCHs3xSyRxvY3md+dWWZy39/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2836	tmp586D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe
2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp586D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp586D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe
Token: SeDebugPrivilege	2836	tmp586D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3064	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe	30
PID 2772 wrote to memory of 3064	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe	30
PID 2772 wrote to memory of 3064	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe	30
PID 2772 wrote to memory of 3064	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe	30
PID 3064 wrote to memory of 2364	3064	vbc.exe	32
PID 3064 wrote to memory of 2364	3064	vbc.exe	32
PID 3064 wrote to memory of 2364	3064	vbc.exe	32
PID 3064 wrote to memory of 2364	3064	vbc.exe	32
PID 2772 wrote to memory of 2836	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe	33
PID 2772 wrote to memory of 2836	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe	33
PID 2772 wrote to memory of 2836	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe	33
PID 2772 wrote to memory of 2836	2772	1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe	33

C:\Users\Admin\AppData\Local\Temp\1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe
"C:\Users\Admin\AppData\Local\Temp\1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1o4ggwkh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BC8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BC7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\tmp586D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp586D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1be109b8167be33c98e19cc14a78229fb15f9cdf8c704ee7b043ce241c1ed94a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1o4ggwkh.0.vb

Filesize
15KB

MD5
d5cde84ec028773ce3a1b48c827f1a52

SHA1
769d828f6e0a4e157cc9ac81ce7b4cf098dc7bb0

SHA256
ac88956620b87d549aef783646e71d280670cac3d8796372c935466d6702f094

SHA512
b02607f13de4a4ca81fd5b94ed80a39d3e18be8e0ab918d2c6d4749fc0a262947e00bb36a5554a53092d44901955e335056114927d49ab96f17915e7313bb616

Download Submit
C:\Users\Admin\AppData\Local\Temp\1o4ggwkh.cmdline

Filesize
266B

MD5
db0fe3c6bdc776c5e8ee771b1bbe8f00

SHA1
077ad3c5d53a42d400d8a7fb93a9e9feed5e7b5b

SHA256
d3aeab65751f8014a693ba6cb0a8ba4d84d716d91c3618e75ff621fd829a10c8

SHA512
b1b7b50a8b1769f332a5b1f37d12a5d47fa55abd2c9f3888a853387eab962a82af5b9a3ee9375ae8dd3b6559741925af7a3856d8b0d88497eb8a868ec91e9d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5BC8.tmp

Filesize
1KB

MD5
c34513375aeef4dc2f89dec3cff934b9

SHA1
759fcd8fb896adca18de1e39baa5ccd9a972398c

SHA256
51bd2129ee642266ae4fb1f2f2b308648f2baff822afac36a412c105e53f9684

SHA512
fbbdbd25291d89389a8486eaafd55b9e7dad43de1913111e4e8a8955cf911339c5b5e298a6596b7d9871748a521d200f54d2c31d34c04df3780499c89d76f92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp586D.tmp.exe

Filesize
78KB

MD5
5bdbe69878bab671f9b33b0434657788

SHA1
46d7a58f3049ba22ca565c40ff1c973ce636ec59

SHA256
e08e0bbe48d42e1e732d8d63be7ff72008f2fa657db510bb10195c24963a511c

SHA512
ed6e89be444d99693f4116d0cd67c86784186e18ff0804502c471c2fecdd91bd18f4ec3029a12686e5c6d2828fae242d23a1fa386c23473bab85eaf6ca0087dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5BC7.tmp

Filesize
660B

MD5
e43153072b4ad61355541c2b6b382d04

SHA1
0dd477621c085ab2e42f738322b76f4d13508cca

SHA256
43556a0cecc245940dcbd67a27e47db256b44be0d6823c2535feeb411524cae5

SHA512
69dfe1db0a9e01bfb4ff41ba06a8b9c0dce467b72df1bdfff5c207a396923c0006545c426299076d8108e5ef287dd2a1e395b2d29d55790cb682e1c1ba7d1c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2772-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2772-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2772-24-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-8-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-18-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads