metamorpherrat | 8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaeb

General

Target

8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
Size

78KB
MD5

fbaeb298a868ea3384010e805d3e4130
SHA1

1376a5e582e6d256f7d9f1243bffb84bed14cd5a
SHA256

8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaeb
SHA512

86d72b1c5b60f8ab6cb19092180e4945ba75334d1c8b91132d809933412fb5c3286ac88a7bb541b36372e39c89638c7c9d23a8a0533240bc8b71f76eecbd837b
SSDEEP

1536:LCHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtB9/G1dJ:LCHYn3xSyRxvY3md+dWWZyB9/U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2696	tmpE37C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	tmpE37C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpE37C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE37C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
Token: SeDebugPrivilege	2696	tmpE37C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1728	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	31
PID 2452 wrote to memory of 1728	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	31
PID 2452 wrote to memory of 1728	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	31
PID 2452 wrote to memory of 1728	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	31
PID 1728 wrote to memory of 2348	1728	vbc.exe	33
PID 1728 wrote to memory of 2348	1728	vbc.exe	33
PID 1728 wrote to memory of 2348	1728	vbc.exe	33
PID 1728 wrote to memory of 2348	1728	vbc.exe	33
PID 2452 wrote to memory of 2696	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	34
PID 2452 wrote to memory of 2696	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	34
PID 2452 wrote to memory of 2696	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	34
PID 2452 wrote to memory of 2696	2452	8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe	34

C:\Users\Admin\AppData\Local\Temp\8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
"C:\Users\Admin\AppData\Local\Temp\8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxowdluq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE477.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE476.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- C:\Users\Admin\AppData\Local\Temp\tmpE37C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE37C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8f107893b9c1dfc6d089d51fe2c384c6789214a3bda87b1f6a710177a0faaaebN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE477.tmp

Filesize
1KB

MD5
fa4cf1ff27ad3b6fbf478461b4663de1

SHA1
70499f207b3415c25e55743a9b694e8b0a1ac39e

SHA256
7213ef08377b69dcc19d8a6f93656133c681ae2f3eace5d58d09086293647cbd

SHA512
a1c24331cb1a06024413897e225d7a069ad307c3a6c1c2b1ba7957e21c2f92f76dae088a23f8be440457e4f4e1a7b44be3641479b960afd46d3422a4f09dd6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE37C.tmp.exe

Filesize
78KB

MD5
3e46b0258a494c80eb375fa3b37d7776

SHA1
d05b13de0ba5c1d99041d3616b3672224a77ab0c

SHA256
8f5ff4a7f0d7fe48ea088cc0888937f55f658f8282060d9e9b3c00f252ac6b88

SHA512
231ac22b321998cc39f5038826f6803ed47f6f59726bc965a7656e74a0bbe5aeb37b9c32c4970546b8108af5cc49e127c14587cfad39296d40312d994c36381c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE476.tmp

Filesize
660B

MD5
48dbf284264476b400d42d7d053bd1ed

SHA1
bd89af63e38a51e70b4e0d8b71e8d7c9084cb94e

SHA256
e915c5d7acb002cc3019ced18c2fcab1a08b8482ba74a9d7c1998e49a1e096ef

SHA512
ec16d8d3ab66a8fccb0c8ee1f81772e0adf521c70a20dd53a9eb9768eb2facfec49838a81ee8cd97377a568fc3a0a2e3dbc837bce7ac81024d8cc0f0b0136548

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxowdluq.0.vb

Filesize
15KB

MD5
27e37ba69ba496f44256348136197cd9

SHA1
6522b41d999511b7e78ac40d655ab4a5835190ce

SHA256
2752ca1e02a6cbb40bd6ff380e97f159f5e30d43f20d4111c808bed28cf1fe24

SHA512
864b118566bd5d8c8159f6217bc00a5ea22490ea32c7a64fbef05eabc455abea4169f5781e1fe5b1b3ec5b38bbd6fd63ac770ff8a56522ec93fc43d09bf98a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxowdluq.cmdline

Filesize
266B

MD5
41875577ff8545dc8ca344ef7e0e70cd

SHA1
0055dd3dcb0ce839d267f1cb4ab4001250c442da

SHA256
eef1665c9ed05f76ae278679f3a15c07be7b038d1d4afcca6f4038ef1c3cb620

SHA512
a7f6d2598d485d83a2fa615b84b2811f521b3f01e795c39fcdac4fc31bcec477ce44f51ea051e7258d4aaff4b38e801057f8c65272533678a880e4644a7334a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1728-8-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-18-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

Filesize
4KB

Download
memory/2452-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-24-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads