metamorpherrat | e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1

General

Target

e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Size

78KB
MD5

4e65fa07b5cfcd20bff532895591fde0
SHA1

485ad52859548efa90bf64b72ea5949734fd81e3
SHA256

e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1
SHA512

4c6943308d4e00498a53357ed2ce61e20fc40d5899afb7db7d9ee475f59cc4cb83273dd2ff9c4966de58150b5c03e917704c1ccabda84903e0694233a4befff3
SSDEEP

1536:nPy5jSwXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6p9/c1FO:nPy5jSoSyRxvY3md+dWWZyx9/9

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2848	tmpD421.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpD421.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD421.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
Token: SeDebugPrivilege	2848	tmpD421.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1736	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	31
PID 2324 wrote to memory of 1736	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	31
PID 2324 wrote to memory of 1736	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	31
PID 2324 wrote to memory of 1736	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	31
PID 1736 wrote to memory of 2156	1736	vbc.exe	33
PID 1736 wrote to memory of 2156	1736	vbc.exe	33
PID 1736 wrote to memory of 2156	1736	vbc.exe	33
PID 1736 wrote to memory of 2156	1736	vbc.exe	33
PID 2324 wrote to memory of 2848	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	34
PID 2324 wrote to memory of 2848	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	34
PID 2324 wrote to memory of 2848	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	34
PID 2324 wrote to memory of 2848	2324	e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe	34

C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
"C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eqj73fue.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4BD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156
- C:\Users\Admin\AppData\Local\Temp\tmpD421.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD421.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e639f44654c8f4a881ad5f561f16cdaadfaa8dea5a995c0758c09332d62b84e1N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD4BE.tmp

Filesize
1KB

MD5
deba70abe1ea037d8bc9f8ce0a5a7b60

SHA1
bf0dadcb992c069dcfd2ed55a42864d3d722f9ea

SHA256
2ef8e39945e26ec0892a86d50e6aa51953f7ea912283bfd4ca70a9f1a5b866b2

SHA512
226488cb7acab08717538718cf24c496caf5835303db8a37877319324aad88f01c0a7811773ed34d63b2b824e19c9798e98c94f1f48724d8dc1ace883a877760

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqj73fue.0.vb

Filesize
14KB

MD5
3cf00700a02ab9d8393a70896fa5f095

SHA1
c32769bc71c05b0f0b527551b626da0d59102f25

SHA256
8187e2a43251039b71ff17987bc90d65d8bb8b5088ad160e4c6fa21cfcd698ca

SHA512
b4a7b71a73e0df88353f8231fd2c2a8457ceff75cb255973e28b4ec8627b8e302274c71bb1b517a21dfdf5f118e5bddc3326588aa6f3c5a875e8c34f92cc8b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqj73fue.cmdline

Filesize
266B

MD5
532243113efe259ef77b2db1915d96b5

SHA1
d7c1a7cf0b891636fad4f5a4359b718a7b5e6322

SHA256
68de4987d26e9b07859baafc47758ca66d4fb9e11df17f017dca74eddd46885b

SHA512
50316e9d897886e4e75f3a7cc13241e5a1b2dbdf50583dc48e4d1481546bdeb9d59b018ff5764339609fb7570b5ba58b3030ac4c0b67e32b048013fd76cbdea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD421.tmp.exe

Filesize
78KB

MD5
f8978b2ad2f3b9cd19006379480d7b4a

SHA1
3445b2852dfa478da9e43cb423d9b313824caf22

SHA256
db413d965b2bedffde5357ca3ae45c24220d05cafe7248397a17c15980619a9f

SHA512
9d429bf8546701541bcb442d851b1c51ebded1e0228d6af05781b10a81f7ed30af48428d1f2e5d94925a6ee67744e85a08b9720fa45f6d3a7cab2b3b974b0192

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4BD.tmp

Filesize
660B

MD5
d54a424129702321bb90e7453c729798

SHA1
7482ad1debe6e77ee8341470bb61033f8acfee0e

SHA256
55c7fecb4b5f18b9e8290cc36d65756b16d8fb87cd0e6ef85295fb13013939fa

SHA512
7b45aa4f8642a01e0159576d7a08a7dce8c54fa3f846a1671d80f19caacfd96c406be5b09f4300aaddb0b62ff0604d6fe76f9084199ebbd6c63371645fa20809

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1736-8-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-18-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-0-0x0000000074751000-0x0000000074752000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-24-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads