metamorpherrat | d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351

General

Target

d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Size

78KB
MD5

88bdc277be811cc4d1a6cdce3de630a0
SHA1

4430e568aea8bd2deef33dad79f35753d44ace2a
SHA256

d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351
SHA512

64c6252a6f2116073cbd40c603af35763ca265419c8c3fb9dd50eaa16af9dc05a0efe745404327831a24cf05440f9599d987f15702af2915c48959eddc2de023
SSDEEP

1536:6WtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtw9/F1kJ:6WtHFon3xSyRxvY3md+dWWZyw9/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2692	tmp9B75.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9B75.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9B75.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
Token: SeDebugPrivilege	2692	tmp9B75.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2376	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	30
PID 2436 wrote to memory of 2376	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	30
PID 2436 wrote to memory of 2376	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	30
PID 2436 wrote to memory of 2376	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	30
PID 2376 wrote to memory of 2092	2376	vbc.exe	32
PID 2376 wrote to memory of 2092	2376	vbc.exe	32
PID 2376 wrote to memory of 2092	2376	vbc.exe	32
PID 2376 wrote to memory of 2092	2376	vbc.exe	32
PID 2436 wrote to memory of 2692	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	33
PID 2436 wrote to memory of 2692	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	33
PID 2436 wrote to memory of 2692	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	33
PID 2436 wrote to memory of 2692	2436	d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe	33

C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
"C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lux4xvzn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C5F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d332f653fe98722c857511bff7af563fd07380f8a58deb0c3f9c67eb3fbfe351N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9C60.tmp

Filesize
1KB

MD5
17d41c7e127281483668e15d14cac566

SHA1
62b40355cd94a01b37c8e1b3606642b7a8305225

SHA256
e5b5d900b82ce04acb9e8dfe629548218256b79609af6348021fff0c3c29c7b0

SHA512
c2511012467d5909d7d4a45058708cbff868531130fac7564155d58328ba0de2e4900d6a9d7422e82b9f40899518d969b8b5a84ddb9194794a7ae15b5ad8b259

Download Submit
C:\Users\Admin\AppData\Local\Temp\lux4xvzn.0.vb

Filesize
15KB

MD5
7f817ba9c05c2e686e233f2425acdec9

SHA1
8c23394385eacd44d22674be5e7c8bc8a4add62c

SHA256
4164375758fcf997be0f1ab79f46ac4af30670ed4c0a182223ccc169967634db

SHA512
06dce172b318cc9d5047107c46405503efddfa7782f3fe9b005f3a687d63e81c2f76d5caba8cf6800f0a460bee3e4810fd7a5d6ad49037a541bf1d3bd6da3996

Download Submit
C:\Users\Admin\AppData\Local\Temp\lux4xvzn.cmdline

Filesize
266B

MD5
464f5fc6d6d59015c40d9c73cd4028d6

SHA1
fbb0aeb89b621309da843c859690b0c1a30f81ec

SHA256
96849bd6954f618957964bb5f98a330c6b91c1a1348d57282819a7116b2ba304

SHA512
8ab5b08a4ecd44234cd641f742aa6b9e6624516c8db300e8f228bab18e2d07168a4cca4d3ed2362d0f91606e400d53861e12c23727bb3eee5dfd2b941436895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe

Filesize
78KB

MD5
7741de5ae323ce5775c7e492200a2aa9

SHA1
7731d8fbb6c9b5e35d2730f3a8a8d4fda22163ca

SHA256
f8936da7624e806a247baedb18607d289b3fc16b012a6dc1b0e823ec3f92a565

SHA512
e7a545710524a1e49bb5b0d43a595c1efe380148ad5d768af244cb2e0a9728ec21113d6e51e4a6a383fe29b61d44dda5fc62cc6e3caa29db058935e01ff67911

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9C5F.tmp

Filesize
660B

MD5
36193c9de8de6c2ab48ec38ff599298e

SHA1
2da2fdd516cf00a236bb89ebb171ad05403c0acb

SHA256
667349e1b5add887cff9465baa7ffe32534f8ae686d1f2eaea44c913600cb7d1

SHA512
63e4f96f37d41ee468cdd9c2d458d736f02f4f5e2cbaef6ceecf35c986dd7c74437e99f4870c375f26f5e22225d5010fdc191f4083bc6ff9f43ef50ebdb33a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2376-8-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-18-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-0-0x0000000074271000-0x0000000074272000-memory.dmp

Filesize
4KB

Download
memory/2436-1-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-2-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-24-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads