metamorpherrat | e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1

General

Target

e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Size

78KB
MD5

4e65fa07b5cfcd20bff532895591fde0
SHA1

485ad52859548efa90bf64b72ea5949734fd81e3
SHA256

e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1
SHA512

4c6943308d4e00498a53357ed2ce61e20fc40d5899afb7db7d9ee475f59cc4cb83273dd2ff9c4966de58150b5c03e917704c1ccabda84903e0694233a4befff3
SSDEEP

1536:nPy5jSwXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6p9/c1FO:nPy5jSoSyRxvY3md+dWWZyx9/9

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2864	tmpE8BA.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpE8BA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE8BA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Token: SeDebugPrivilege	2864	tmpE8BA.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1480	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	29
PID 2244 wrote to memory of 1480	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	29
PID 2244 wrote to memory of 1480	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	29
PID 2244 wrote to memory of 1480	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	29
PID 1480 wrote to memory of 2204	1480	vbc.exe	31
PID 1480 wrote to memory of 2204	1480	vbc.exe	31
PID 1480 wrote to memory of 2204	1480	vbc.exe	31
PID 1480 wrote to memory of 2204	1480	vbc.exe	31
PID 2244 wrote to memory of 2864	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	32
PID 2244 wrote to memory of 2864	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	32
PID 2244 wrote to memory of 2864	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	32
PID 2244 wrote to memory of 2864	2244	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	32

C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
"C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ofxpdwmh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED5C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED5B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- C:\Users\Admin\AppData\Local\Temp\tmpE8BA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE8BA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESED5C.tmp

Filesize
1KB

MD5
91ef77108aa9fb76a07a4c586b1288a2

SHA1
cfc0a734099ff3666fab8c1837bce3b3a387bc7b

SHA256
48fda29ccd6dbf98a6cc43d5e0b0ea2332f1d2017accd90eb6e2a00c431d0f1a

SHA512
52d7ed2b7c3ea026648b63ce990e7c2e8a6cd60ed97b8e4e0acb48b171d20d061c86532c27ded5b15bbe39f89966d38231c28ff53a8a07fbfb79448035433f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofxpdwmh.0.vb

Filesize
14KB

MD5
69dc55ab8ecb953d3a9be0d08a662258

SHA1
004186282eddc509436fb5e2fbf495280610bb0a

SHA256
344ce1b687bae029c8f40ac58ddc12cbdcdac9a27a8fc46736f5e8606aa0ec46

SHA512
ed99a5a22a4ec60a9bcf7a8e64715e4c3161604a9d830bafdacf87a15c508bc9a27a95441bfc99b807d0018cc8ec1db7a3cc77afa8ad6de252349101f5d1687c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofxpdwmh.cmdline

Filesize
266B

MD5
29325d99dc9536d852c6b975d75071f0

SHA1
16bcc84870c96310dfe34a8ede2b5f19ac819d32

SHA256
709ab39fce10d15d31de929f0005bfd302c00ec4a35a64e7adbecf410902c2a1

SHA512
c665f7ce2634df66c77dfeeb5b5c313024a0068ebc3ebc90a541a9cb4af2010d31544255840fdc0316ca46d83c7d856cbc9ae86c430d745a35cdc981d80d469c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8BA.tmp.exe

Filesize
78KB

MD5
931e4b9f099379ef48b076202fa2df9d

SHA1
92be6366dbccb6edd76fccf4c6cde9834a4c6df1

SHA256
0bb360ba361d48a45c53238630de708ea2e756296d41f02d1eae4f7617621d03

SHA512
138c65457cd985332743d95821631869472be43221716721e4d35b2add7d294136d9e906928f48679e3f62fd6a093f31c878501e47e227a563ccd5c286eaa2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED5B.tmp

Filesize
660B

MD5
2b1bb61aa5746ca7d5496cf421ff912d

SHA1
0ad1cfa202ad36ea5bbdf92ae9e21258a3250bb1

SHA256
0610f8b3e4c112f8bd1c337d584b64a4b010a1846747cd83bbc5366dd3f78a94

SHA512
45567c3698e37386a081d29401e037cfd20310bcfc138fa5986c55ad6d8528601d131de3373e9b9a55a3ebdc01bbba2e3aedccb518b82ce896dc64442cfdbbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1480-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads