metamorpherrat | df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0

General

Target

df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
Size

78KB
MD5

88a7a14c8c93cf34ffd73a50824c1860
SHA1

eef0d848ef15bfa46bde60be3b35aa1f10c0159f
SHA256

df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0
SHA512

52183a7d1d803644b81d12279c521799ef10dd1542fa501a9cc39420297a5f2e95987e220f9d16642e8537d51bcfef5f311672a016838f203251e6a869a429fa
SSDEEP

1536:qsHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtD9/+1i7:qsHs3xSyRxvY3md+dWWZyD9/b

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2716	tmp2BC2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp2BC2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2BC2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
Token: SeDebugPrivilege	2716	tmp2BC2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2704	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	30
PID 1664 wrote to memory of 2704	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	30
PID 1664 wrote to memory of 2704	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	30
PID 1664 wrote to memory of 2704	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	30
PID 2704 wrote to memory of 2840	2704	vbc.exe	32
PID 2704 wrote to memory of 2840	2704	vbc.exe	32
PID 2704 wrote to memory of 2840	2704	vbc.exe	32
PID 2704 wrote to memory of 2840	2704	vbc.exe	32
PID 1664 wrote to memory of 2716	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	33
PID 1664 wrote to memory of 2716	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	33
PID 1664 wrote to memory of 2716	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	33
PID 1664 wrote to memory of 2716	1664	df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe	33

C:\Users\Admin\AppData\Local\Temp\df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
"C:\Users\Admin\AppData\Local\Temp\df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dxc8mcjw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E81.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E80.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- C:\Users\Admin\AppData\Local\Temp\tmp2BC2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2BC2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\df46bca6b125e370d13301f6d84db007bb36d98a4638645aa009ae8c0615ece0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2E81.tmp

Filesize
1KB

MD5
9761d0002e7e941bd3738292c20f294c

SHA1
9b5786b24a5d3800e6868131b8561351e1df5894

SHA256
82d4e66ac65b5187ce9e5ecb48035e4386ca08d9e83a1f5b8ecfd360403eaf81

SHA512
1939249e810da5691940d0120f84beae0af3686638e6cff2ace8a3327386a248ed66967633e66941ee1762f8660ed264f6b0333001ea610d4d32d6d597c4105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxc8mcjw.0.vb

Filesize
15KB

MD5
0459896f4cb80f5905e7a0089bd4ea5d

SHA1
0aa92e31e7727997c35fbacabc3358fb1f08d486

SHA256
19e7af1b6985ff4ae6805c3cbe59d0674da3af9e930ff800b54f0e09f6d75697

SHA512
4ba34638c9a15a83336e503260690dbd6524bf85707894b90e178de1c46f8435d37fbd8dd3dce225bc562d3a17b11861326713c5b9eff1f27a2906abda11db43

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxc8mcjw.cmdline

Filesize
266B

MD5
6aa27e9410655eb83b9fcb3b85e78504

SHA1
f25db4aad0db64182039864bce9e59307844debc

SHA256
45253d2412a841801f16be307abe9d002de6f52010a25090592c4c203dbe3549

SHA512
412b8539278874e307f9cdb10a07718c7af8eb6d2340f58000bf0a12f346dd8a6b9a86a8097ccbbb0bec52ae5aca219772a41b038dee22d2c143c5fac81b7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BC2.tmp.exe

Filesize
78KB

MD5
989038f8c4824b0e32789a49bab6127e

SHA1
3666e4bf54eb7c3f2c87cf1a4aecbc3b6e0e4bda

SHA256
3ea7206164a915ceaffc36e1e2c1b6447159f66654aec065aaa9dbd239980681

SHA512
cf5eaf5d4f18d1ab15933b4dfebd1127af248d4738f0263a66325085eac76918359e47f32d0632c7c0ed29ade8d84b19ab267fc76f76c344bf531812ea0dab7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2E80.tmp

Filesize
660B

MD5
d5fd92a4cf6eb1ed69480891611189bb

SHA1
928cba2ae14c106d5fec30c9841c4989b52dc0f2

SHA256
d2bed1e4c90f3bc778f959dff9e76b6305281a95f698b5b8ae4bb4e0e6602a74

SHA512
2d84c833f574a6811c4cfb9c85eb0bc389942eaec59e72175345a04602a0b9c81bbe6c002485037583088b4f2f5da2e49045fb6247e275bf2c54d7029c2492c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1664-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/1664-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-24-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-8-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-18-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads