metamorpherrat | a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4

General

Target

a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
Size

78KB
MD5

466d2169f14fd5f145bd6e3e26f48a50
SHA1

83c0c981a317df31ebb71f0ccc4774ab09dcfe38
SHA256

a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4
SHA512

a951fb4fbaefa838cd914fae6da8d6881848510b2e8dad4adf487e2d1aa9f6d126f6a17b2e1546c25c79661a47c222bf13350144c54f14dff64b382439cf812f
SSDEEP

1536:6CHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRk9/z11Pv:6CHs3xSyRxvY3md+dWWZyRk9/T

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2444	tmp2404.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp2404.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2404.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
Token: SeDebugPrivilege	2444	tmp2404.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2688	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	30
PID 2264 wrote to memory of 2688	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	30
PID 2264 wrote to memory of 2688	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	30
PID 2264 wrote to memory of 2688	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	30
PID 2688 wrote to memory of 2740	2688	vbc.exe	32
PID 2688 wrote to memory of 2740	2688	vbc.exe	32
PID 2688 wrote to memory of 2740	2688	vbc.exe	32
PID 2688 wrote to memory of 2740	2688	vbc.exe	32
PID 2264 wrote to memory of 2444	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	33
PID 2264 wrote to memory of 2444	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	33
PID 2264 wrote to memory of 2444	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	33
PID 2264 wrote to memory of 2444	2264	a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe	33

C:\Users\Admin\AppData\Local\Temp\a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
"C:\Users\Admin\AppData\Local\Temp\a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihfvsiox.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25E8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Users\Admin\AppData\Local\Temp\tmp2404.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2404.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a47caa552620f9f02917e067a4f7933dc2c61b1ed06c0a283ef9e21fde4468e4N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES25E9.tmp

Filesize
1KB

MD5
39c4d93d464dc64b76436b4d42c92e57

SHA1
bb83cc3374076bd0f0904f5c8f3969b63f06c7a2

SHA256
36d0015cd9fa590a98cd86b5b4f27413ba0769498008918f3e34a556bb6dbb98

SHA512
9d02f82915d787d80032a0facf9c7af2860d2f0920a381a43d1b489d43885de2c7dbbc19ae59f9642a033f3653a67b3d7a622750fa9e7e372837e906c3aa0e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihfvsiox.0.vb

Filesize
15KB

MD5
a5258feb43b42ae5622367dd235c216f

SHA1
5a69cf7021625f701680563148832ba8b65b2eb0

SHA256
b357b283b5a0548b9b114df162239a44ad7f25acb888716a3cefbea4badc1b96

SHA512
6a5faf8a98e61bbcf9d86d8fd8a50fcb77b3f75811edbfaaa270490635a243d91ba588fed322391c770c6eb67a5735fc2509e827e4337dd57848f43dba71ee1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihfvsiox.cmdline

Filesize
266B

MD5
049e307a52d4dcd2e381250e6793e305

SHA1
d63f9250d93772863ece656681fb48d725898aa6

SHA256
cb6eab1d6b358d719babc0b2195ea44fe5a006323131266ad67ca21bb05504fc

SHA512
1438eaf8ca8ece82f448801b436bea157974c2a90122b2f4e5d796344ce492ffe67c0bc59ab7b1ca0e9aa67d266e06a2a11aa54d217168c371dc878b3a87585c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2404.tmp.exe

Filesize
78KB

MD5
3652e69aa20bce53ed204ef6aa4b3194

SHA1
d5dd416a98ac05b5e4aed32d3c8b58b97980f81a

SHA256
5d99a3f38fa615ace380b8bd327ec947e4ab2953cb9e7f28a0088b01cb420d7b

SHA512
63ab786336309be2de60ddf41cb771b6fd652f41b66beb9b7a1b9e79ee89ba0862df32fbccf5cc3dc920602c9f4d6d3f6975f0ed48fd6247a7a0b49aca63d29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc25E8.tmp

Filesize
660B

MD5
957f0b0f4647ba5655a5c5524c673e4c

SHA1
f607bcf58d73d68eb5050f9744012a25ac253838

SHA256
0fb99731c093fdede324275b8e03fabd7a216fca08539247953b8ab9b0d20cb5

SHA512
24ad1aa0c7a26ff6c0d405bed7ceeb7e1dcd20f9e5b460fb05e0daa70f5087a2a6625d86877036b06b1b81b9e1435616bf7ee29fd2164d7af3df63a4d8a6a421

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2264-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2264-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2264-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads