metamorpherrat | 9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a

General

Target

9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe
Size

78KB
MD5

4a5397199affc4aa93e1340602f7a381
SHA1

001cd5f2c380e7722c997bdb907608c88309e0fd
SHA256

9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a
SHA512

e161bdc33d07fc311448a9932b990fb8370a42be387f657624a05d29cb27e7aba2c08f29cdd00a9ebd312262b593e276ab55327021884dd0e94bc451d7452970
SSDEEP

1536:EWtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQteE9/NF31HG:EWtHFon3xSyRxvY3md+dWWZyeE9/NFU

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2636	tmpE2E0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe
2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpE2E0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE2E0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe
Token: SeDebugPrivilege	2636	tmpE2E0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2952	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe	31
PID 2948 wrote to memory of 2952	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe	31
PID 2948 wrote to memory of 2952	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe	31
PID 2948 wrote to memory of 2952	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe	31
PID 2952 wrote to memory of 2124	2952	vbc.exe	33
PID 2952 wrote to memory of 2124	2952	vbc.exe	33
PID 2952 wrote to memory of 2124	2952	vbc.exe	33
PID 2952 wrote to memory of 2124	2952	vbc.exe	33
PID 2948 wrote to memory of 2636	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe	34
PID 2948 wrote to memory of 2636	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe	34
PID 2948 wrote to memory of 2636	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe	34
PID 2948 wrote to memory of 2636	2948	9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe	34

C:\Users\Admin\AppData\Local\Temp\9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe
"C:\Users\Admin\AppData\Local\Temp\9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5sf7xenv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3DA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- C:\Users\Admin\AppData\Local\Temp\tmpE2E0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE2E0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9dadfe0f5ab4242d2df27548aafb9f450824a933a40f34a8c1f94e02b7c26e9a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5sf7xenv.0.vb

Filesize
15KB

MD5
60f9ea65bfc5ed033db28e226af6a1e5

SHA1
e72ba1ede3fc8c3ffb63d5e273596a01573602b3

SHA256
34f7fb168472bb46b0e2b52d4efb4577b518654b5c9acba47b38440d99d3f5d5

SHA512
e4897bcd6882aaa0afa395d22db0132fae56e589d55dc756cce3d87496b54a6db0a49594ab3a8e6b5130d261815135f1cc76700f37d8500ad6432c2bea0761f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5sf7xenv.cmdline

Filesize
266B

MD5
b79307437cd830b7c9fac4c7dd6a7a6f

SHA1
cdc22ca15dfe5dd6de5a78c23aab6bc8f9af9e78

SHA256
40d5e7e3f5a724bc6b476a921603a26502b625f385a8dd5172b691caccdc78f0

SHA512
b47708a2e7a5fdd8f7d5a8f9c1bf44707d46feb90fe7c0156d2fd4b293c8f44d5e87482792dad1ed7005a2bd2650eea534d7b4ee8d3521e46056a2f9b6bab6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3DB.tmp

Filesize
1KB

MD5
390f1c728f52397a2582bbedc04555b3

SHA1
04a658f8dfabd39063db98ee8224e4d0ae628715

SHA256
8a589f0c7a59cdcfd04f03610723d2346697fe66cd98b2dc15d4fdbaff8cdac2

SHA512
def472d671341776667fa2f848c29e1374dcd08ff16edbc91bc246d4bf951b0d8c199f5e75e64d793bd2edd9078df6118935a157a55f2594fc10ef90e12423f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2E0.tmp.exe

Filesize
78KB

MD5
dc138a968ceb3d4d5d86e50b694ff900

SHA1
654d1a3dd398d7634c0ba5e8362dcbd4ecda7070

SHA256
49931f1f6b41a5a2ed351144085cb89ed0b6892c180a9c26b160a2c1f562ba21

SHA512
136b5a5166d51cd45b39bea4b94b97adc0b759bb035f5db4809848a9724f433366498ba033922cff419e43914678bc91c915f2cda2eb0580a86041d83723e753

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE3DA.tmp

Filesize
660B

MD5
eb7d07f0cc9a8cacdc7e5577c817431d

SHA1
a80f157339c19ba4f48ae16d404b37b16d806663

SHA256
e81723f27fc5d8799b86956a0e40e3a427c2d66f9a2775d0e5c87e980b4c0f8a

SHA512
fbeaea1999ac9c2e972ec5d8d46b1d3df4d95bf448473828bd5ea6950aadd158dbac91f202f7a85a5723f3f22a9c6dc44c0f9006850a27a40623b1dab5815f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2948-0-0x0000000074D21000-0x0000000074D22000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-2-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-24-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-8-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-18-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads