metamorpherrat | 7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa

General

Target

7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe
Size

78KB
MD5

87b0da861efeaa69a882eb8b9fe76268
SHA1

b117b13ad72089e771765a3915ad8336b8ed7e7b
SHA256

7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa
SHA512

f7cff162e43685665225feb74ef4f601cac086852a07f34874d32826196ed361f2f74916d665e7e84a2f2c707897943295f832d4fad0fb4f3d0b79920933fd1d
SSDEEP

1536:kuHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQteh9/341PL:kuHFon3xSyRxvY3md+dWWZyeh9/3u

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1852	tmpB5C8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe
3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB5C8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB5C8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe
Token: SeDebugPrivilege	1852	tmpB5C8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2504	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe	30
PID 3008 wrote to memory of 2504	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe	30
PID 3008 wrote to memory of 2504	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe	30
PID 3008 wrote to memory of 2504	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe	30
PID 2504 wrote to memory of 2672	2504	vbc.exe	32
PID 2504 wrote to memory of 2672	2504	vbc.exe	32
PID 2504 wrote to memory of 2672	2504	vbc.exe	32
PID 2504 wrote to memory of 2672	2504	vbc.exe	32
PID 3008 wrote to memory of 1852	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe	33
PID 3008 wrote to memory of 1852	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe	33
PID 3008 wrote to memory of 1852	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe	33
PID 3008 wrote to memory of 1852	3008	7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe	33

C:\Users\Admin\AppData\Local\Temp\7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe
"C:\Users\Admin\AppData\Local\Temp\7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mw0eihau.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7b06de6b5c9aff0d4e12b709b62fadcd882a3f8378fd83bfd80c072cd9b969fa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB6A3.tmp

Filesize
1KB

MD5
068e6d1f0bfc3edfa1fbd72a92b274ea

SHA1
f5e209d2544b7d8da8fd72477d560749f80e4aa0

SHA256
09286673115156dec03794912f6dacf0896021603c48ed90a35e4ffc623bb97f

SHA512
9c0b898b62d88a7999a96d972195f5957be95050b8f4ddba56cb9946c186883b75fd44d233085faa18a10d68acb64a12f1f7255110a78bb963c3a985d8340195

Download Submit
C:\Users\Admin\AppData\Local\Temp\mw0eihau.0.vb

Filesize
15KB

MD5
04695ffb6859e29b8ae1d789d9d997bb

SHA1
c6250f01f243a0e3a8e04956101aa64728589201

SHA256
e016ced9a2d8be935bee5cb7bb69c089ee6883cd822e53f0ecf8836d862ca3d8

SHA512
14c11b1fe86147039e78962cc0957d0b3fff534b647ccc4b05852abc758660df8a46b58bb3e248ecd56634f331b51cc58cd317d270b38adb17b73179ce3e2b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mw0eihau.cmdline

Filesize
266B

MD5
e036a09a695dd68a14a27ef212a6555a

SHA1
fc1109518c494f370fe73333217ab278ed956699

SHA256
da7e19e0f0275b7bbe379d5cb979119c365f316463d46314bf976401702edf08

SHA512
f2c568ad9d91dcb218344fb460c8860454926a2460e74f3e5894091fe60fef0ada53c97a90a8c56c03dccc5230584ecf5cdf745187dc66ff1a205b4396170651

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp.exe

Filesize
78KB

MD5
f1aefd93cd2e03117ed7bd5a2db2dae4

SHA1
96a59f4f6fe642bc5b2b0d2316026c4e7d535761

SHA256
da94c653edb4ca6c4c9e682d03b9cd64e6f6ac06d0e352beb7bad7ac78d631e6

SHA512
8ebb04503a721d44d039009fa9e96e6daa087f497b13dab0da29012d152da418361015ea6a0fb13ce060e141b3482231d1491f821e3faef6f44270b28cced8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB6A2.tmp

Filesize
660B

MD5
c62e8e43a48c38da44894887068e5a5c

SHA1
30503ea637bd5fc938bfeec9ecff1fe648d9cfc0

SHA256
1eb6c76a1dd806cb6447cd4d2837d8b94a211f297a3cb3c1356a1f1c1728910d

SHA512
a821d61056f2881be8c0ba6fa4e5d77e3f0e042dbc087c30d5cb4522215553e6cb468d7f540f0e6c3b16415bab636a123e2b59be6b2694ac5b5edf695206775c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2504-8-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-18-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/3008-0-0x0000000074721000-0x0000000074722000-memory.dmp

Filesize
4KB

Download
memory/3008-1-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/3008-2-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/3008-24-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads