metamorpherrat | 5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527

General

Target

5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
Size

78KB
MD5

73ebf50108619cf05ba3b7311a8fb6e0
SHA1

7e44d9ce2b10d17c3ea971c56a558951fa6d32c0
SHA256

5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527
SHA512

0f296fac3c9cc19beee3187c0c365afd115bdfc5b053afc994dc367657bc498e5612c3f28c5a23ad0e1251ffc42963519c63e46a9d5855d8677a281b79c517f4
SSDEEP

1536:mWtHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtb9/T1OH:mWtHF83xSyRxvY3md+dWWZyb9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2280	tmpDE7D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpDE7D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDE7D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
Token: SeDebugPrivilege	2280	tmpDE7D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2288	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	31
PID 2324 wrote to memory of 2288	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	31
PID 2324 wrote to memory of 2288	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	31
PID 2324 wrote to memory of 2288	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	31
PID 2288 wrote to memory of 1560	2288	vbc.exe	33
PID 2288 wrote to memory of 1560	2288	vbc.exe	33
PID 2288 wrote to memory of 1560	2288	vbc.exe	33
PID 2288 wrote to memory of 1560	2288	vbc.exe	33
PID 2324 wrote to memory of 2280	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	34
PID 2324 wrote to memory of 2280	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	34
PID 2324 wrote to memory of 2280	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	34
PID 2324 wrote to memory of 2280	2324	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	34

C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1kfy8kqq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF67.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1kfy8kqq.0.vb

Filesize
15KB

MD5
59f1d640ad5c9661c52e1a55ad5f6627

SHA1
e1630e60ee500aee6d17e59c865df7df78a90681

SHA256
250fd44c3b2b179c57334bb89ab45950c6a8ba41c509872fa4f99ac59e3f348f

SHA512
8360de554d7ca38304b6832ca1a483ac7c8e08eda691e1aa57425d8b9783e3884c3c03626053f31c381b3ba49f926d5e83ba5773a6851658fdcb910bda7b9cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kfy8kqq.cmdline

Filesize
266B

MD5
d7b70473e0347564b032076a8b6fd237

SHA1
0c63eceb55600ad0bfe61eb371a28a1cffc06e94

SHA256
b359c386a747345f321848aa372614f0ba7622b6a48d5e01fc181ec061806f6d

SHA512
bb1cac064878ff571ae0bf0401bcb1a4aa549056177654bdf02ba678eb077002d7dc95071a933759acc02883f7dce6a20084d7dba7a67cb3012767494a0e5cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF68.tmp

Filesize
1KB

MD5
a2632175fe81455be56181cf2b8b3578

SHA1
66765db01149923b81e8e82b728dccd4f05a41f7

SHA256
bd3805052b7caac986394d0dc9db1ce466b6ac764ab7f924be612d486adc3fb4

SHA512
4e3fb962fa15fe278ce1db402935b462d19bfebd4dbf1be75d04eaab59db6a94cf766b82c18e7d59b722b231850fa382184870b34542f9317014e1379c0be47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe

Filesize
78KB

MD5
e68c4bb2d5f5407a201b1a0083b4a532

SHA1
e144287bba3edbb1c13067705bc2f0a984ee3490

SHA256
f68f3e0c6f0aef7970df1e4f8dfe0bbae62d7e1741b26b8178e8311db8cde42d

SHA512
5de3a66fea8b033dc45d301879b35a1ae58db2c02a58aca1b60bac1530c1c016fdf679fb9a7da04579c8535ecbec86baede77c08ce3766fe581d85bdb0e9c4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF67.tmp

Filesize
660B

MD5
a3d2edb5ca5367053e45b848acdb3103

SHA1
eff88c453a4417e2cde5fdc35f46e8854b3f857e

SHA256
5224f2eaaaa56379d159d05225ac49876d1df91e6d5b932d4a52fb53ce6148bf

SHA512
67100ea046a4956be8ebc5a89152639b31a9674a2989e56ada7b0872db1230eb363f7d5f8a714363e8e7ec48d385ef0715e901aaa1db713b51820797983a4ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2288-8-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2288-18-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-0-0x0000000074121000-0x0000000074122000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2324-24-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads