metamorpherrat | d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351

General

Target

d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Size

78KB
MD5

88bdc277be811cc4d1a6cdce3de630a0
SHA1

4430e568aea8bd2deef33dad79f35753d44ace2a
SHA256

d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351
SHA512

64c6252a6f2116073cbd40c603af35763ca265419c8c3fb9dd50eaa16af9dc05a0efe745404327831a24cf05440f9599d987f15702af2915c48959eddc2de023
SSDEEP

1536:6WtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtw9/F1kJ:6WtHFon3xSyRxvY3md+dWWZyw9/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2804	tmpE2C1.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpE2C1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE2C1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Token: SeDebugPrivilege	2804	tmpE2C1.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2236	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	31
PID 2308 wrote to memory of 2236	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	31
PID 2308 wrote to memory of 2236	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	31
PID 2308 wrote to memory of 2236	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	31
PID 2236 wrote to memory of 2844	2236	vbc.exe	33
PID 2236 wrote to memory of 2844	2236	vbc.exe	33
PID 2236 wrote to memory of 2844	2236	vbc.exe	33
PID 2236 wrote to memory of 2844	2236	vbc.exe	33
PID 2308 wrote to memory of 2804	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	34
PID 2308 wrote to memory of 2804	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	34
PID 2308 wrote to memory of 2804	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	34
PID 2308 wrote to memory of 2804	2308	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	34

C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
"C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7wbumuga.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE37D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE37C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7wbumuga.0.vb

Filesize
15KB

MD5
c7b35bc407075618ec80b7a4c7aee759

SHA1
4fb07da38de96c1e297f70463a5e777bf788a399

SHA256
a9fe7b15fe14cdfdb235b1d33139394ab6018d2172fdc0553ac0d2a948c5dd59

SHA512
9f5c04f59ea1029959ea25ba8e1c9ca8d615d52e138514ec6a27798d79d9a645cd2a0a70a9172ae20a6750ad8eeaa09a66da7a7ebf3c8b86ab0ab572cfab1b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7wbumuga.cmdline

Filesize
266B

MD5
4743d24f8becd033b50345f8cc9968d0

SHA1
0b5750459bb637cd9b53d522f11ae485d417c582

SHA256
a0b259d927b309adb3dccbc858bc8083bd940219bc6e2d51e1c72d95ae81d2b4

SHA512
1eb97c152e811b686534ce598d8c2e3543a7843f5acebf1f8ab94d3b15dc9c5ef3a4b8478008f11f242bf6614b62b40dc46718f4c0d4e033d7ea8e0112bd125d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE37D.tmp

Filesize
1KB

MD5
b47c87e9883b3c9cfffb41e882ea9998

SHA1
c256ff893c453f849187e4c90b8f8302631e4af7

SHA256
6d649e1d0f0506b62da08c159a9578803a14acd232cfb2de7ff9ad4fdaf33bda

SHA512
dd4e4c6b9f2b5e84c3998152c7c25108a16a5cb1b5e0d373890703a8ab799d887d113d3e4bbab16ee2c486f72f0ac768fa83cde80a8ccf5ed437101615cbb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe

Filesize
78KB

MD5
cd23ed28815cc9a1296e167cd4b4a6fa

SHA1
658bf01b2f38e0dc9f7f5d931dc53ecd562b3455

SHA256
98e4487c40bed5d9b25f643147e7cd4957634166feb16223b0f3bd84ff1b7cc2

SHA512
d73facaa4b18066b61f4abbc4820ffad34e40a04119714446e92fb1b7661d813838e7c57aacf2adbdfb884ba4b639385d8bedae700031444de73b6986b86e7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE37C.tmp

Filesize
660B

MD5
62440c459515189136913234c5034548

SHA1
194681b0947d7c774c52ad1bbc4cdc70e48ef7da

SHA256
5c8e2d884e296ce90f203777bee47b6ac626ea57a140482001674c7e8084120d

SHA512
7cbf5df6873f2b00a02ca66fd2a64cebeb3947b90f567734c7ee63e9e03cab1f55b47e5e22f4c6c59a6eec0c5c775ddc9eb5fce2d4ceb240229f74fec84af7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2236-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2236-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2308-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2308-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2308-24-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads