metamorpherrat | 5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527

General

Target

5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
Size

78KB
MD5

73ebf50108619cf05ba3b7311a8fb6e0
SHA1

7e44d9ce2b10d17c3ea971c56a558951fa6d32c0
SHA256

5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527
SHA512

0f296fac3c9cc19beee3187c0c365afd115bdfc5b053afc994dc367657bc498e5612c3f28c5a23ad0e1251ffc42963519c63e46a9d5855d8677a281b79c517f4
SSDEEP

1536:mWtHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtb9/T1OH:mWtHF83xSyRxvY3md+dWWZyb9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3016	tmp7A00.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp7A00.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7A00.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
Token: SeDebugPrivilege	3016	tmp7A00.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1592	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	28
PID 2320 wrote to memory of 1592	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	28
PID 2320 wrote to memory of 1592	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	28
PID 2320 wrote to memory of 1592	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	28
PID 1592 wrote to memory of 2848	1592	vbc.exe	30
PID 1592 wrote to memory of 2848	1592	vbc.exe	30
PID 1592 wrote to memory of 2848	1592	vbc.exe	30
PID 1592 wrote to memory of 2848	1592	vbc.exe	30
PID 2320 wrote to memory of 3016	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	31
PID 2320 wrote to memory of 3016	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	31
PID 2320 wrote to memory of 3016	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	31
PID 2320 wrote to memory of 3016	2320	5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe	31

C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\luvokjsq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AEA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7AEB.tmp

Filesize
1KB

MD5
3876ca5b87df5816169ee1dc10a0ddd9

SHA1
e10ceb2684cb9fa156b0462f5635947c3963ab19

SHA256
1f84c98bee577f30451d10cc87f65fe759fa010b0ecbc9c6d797f2c28edef4ce

SHA512
c89b6a49d00a3e04fc6652e0d6d72c9bce8a67c49a4b3066b1eb2316cff69087e26070ba06e72dae069c5c6ffa973b231f93c5339abe0fdc6fe06e2cf8c3530d

Download Submit
C:\Users\Admin\AppData\Local\Temp\luvokjsq.0.vb

Filesize
15KB

MD5
217c90a214992bfe084ddad2f251fa7d

SHA1
70739c2c1c39141f2367ff2ef6c9dc083fc81fc1

SHA256
6fbfef5b5c663880e1041d9bf7fe6e12b07426a8379de9d44d2c30a40db10335

SHA512
e11397c1667390ac953c6c7ba641fcb7f5124c557ffa3a251dfea54dfb92b0f9c6e9f0531cc9ec47ff9d816aa1219e369607eb85019b339fbcaacadab73c3397

Download Submit
C:\Users\Admin\AppData\Local\Temp\luvokjsq.cmdline

Filesize
266B

MD5
3cbc354281ee30683138631caf8768db

SHA1
f8a9ae7c773206a1bf778b1a0c3b6386cc498e51

SHA256
ae18a8bae7025e32f22e0a05aa52ba4c442d567a9dc45d334af207d903662e55

SHA512
0b48d18ed9edda61bedabe8f03882e17f0f13fe73e034d5ff8c912ee73cac0bec30a0ac5e0cc950fd5e8310267eaedc968f8cfef3b2a24f37390882e6257686a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe

Filesize
78KB

MD5
54fad5b1c452406fa6e4da3cfc0587be

SHA1
5cc52ccfee2d3113269b0b03aef87b25ec981601

SHA256
e2bc5298f30b968fa3509ae98930a790f0d67b3473f962b69a1ddd2699f4993e

SHA512
888b3da9d83cf7de59a0b59b85c6244b06c3563011afb0fe656679392646dda16d8732d3c2381a87adc0c3d3db0e7504d7693678979619d9ba0d072594e586a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7AEA.tmp

Filesize
660B

MD5
723166eccc20cd6674cb29d01989f1fb

SHA1
d7a49ce93016e083bfda996597ebaf5450088eab

SHA256
3c4730a2823c5c7cd1ac741b201082aaf64260286bed47a788f0a1eb8c2b185c

SHA512
2b930ad11fb7377a6a405feb65cf21480376401fd11ef926fbea62d5e9e6bc0e08f4c12bb6b433326119fa850982df37f2119f1efdb2d35c474feedc19dabe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1592-8-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1592-18-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-0-0x0000000074421000-0x0000000074422000-memory.dmp

Filesize
4KB

Download
memory/2320-1-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-2-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-24-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads