metamorpherrat | 30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb

General

Target

30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
Size

78KB
MD5

93c7a8b8044657becec13b3fa7afc61b
SHA1

e04d9bcdc3196b0eafdb7a056fc1a8982de47935
SHA256

30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb
SHA512

8fce401ad3e906f1ce0963829903316d0523b63f860df35e1921d4785f37028808012948585c4038dbab8349ccf427a69460faaf9ba46ccb98e79f62a87e6f28
SSDEEP

1536:LCHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtB9/G1dJ1:LCHYn3xSyRxvY3md+dWWZyB9/U1

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2884	tmp5E94.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp5E94.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5E94.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
Token: SeDebugPrivilege	2884	tmp5E94.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 2924	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	29
PID 796 wrote to memory of 2924	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	29
PID 796 wrote to memory of 2924	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	29
PID 796 wrote to memory of 2924	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	29
PID 2924 wrote to memory of 2904	2924	vbc.exe	31
PID 2924 wrote to memory of 2904	2924	vbc.exe	31
PID 2924 wrote to memory of 2904	2924	vbc.exe	31
PID 2924 wrote to memory of 2904	2924	vbc.exe	31
PID 796 wrote to memory of 2884	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	32
PID 796 wrote to memory of 2884	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	32
PID 796 wrote to memory of 2884	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	32
PID 796 wrote to memory of 2884	796	30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe	32

C:\Users\Admin\AppData\Local\Temp\30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
"C:\Users\Admin\AppData\Local\Temp\30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7jf0_l0p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61FE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\tmp5E94.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5E94.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30467a898e671d1d3a27a3c16c8647ebe8de3dc43b17e4234d6ae56251190ecb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7jf0_l0p.0.vb

Filesize
15KB

MD5
537d555f84f3ab6e7741aff09c7512d9

SHA1
83b661a7a2c86be470e7bd456168d84f4ca5cc3c

SHA256
7d2a3d1198707880f239d53be3f43bd073062d0b3c75e09db0cb4dfde70fdd0a

SHA512
23ae0d7e7c0d84a98af3d3df6def0a05adb2a4fbd764e6b399e56b0b5aa145daf0d57f4d32b8c1a225c330bf0b202db6a7de880a358e961bf25cb52b221e7784

Download Submit
C:\Users\Admin\AppData\Local\Temp\7jf0_l0p.cmdline

Filesize
266B

MD5
6e12d05524f4e6a52797267b09b297ba

SHA1
371358418a5e84c6183e69387ded73a1106a9041

SHA256
a93e63fbd17d169d27f3b049fca1def5943ec0387558539507f368cefa462501

SHA512
c919e9d6c93fb3b799712327b076528feb850e5265193d11b72b33b0e13c85675ce05a3fde6e27928da259521d31d629024f9bae5310d3dd0138cfc0135e25f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES61FF.tmp

Filesize
1KB

MD5
16efb67d4a98ae1ca94518fe0d2a3718

SHA1
40161df174f34dc9396598eebfa2aaae6670a1e2

SHA256
8c6ecdcd5c419294c852167f790df38f93f2e75406bf143fd407c9c67a3233df

SHA512
88d6edd86a55086b0e10ae891e87038207273313a35deb7b1163cda043efb0c29e7995f98dffbe189189935dfa8e8254164164cda904b8f397a507f45a319252

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E94.tmp.exe

Filesize
78KB

MD5
8875e522339b71070ba72ae4671a204b

SHA1
fe6bafb4a354c947bde5b1ab0144154264fb8398

SHA256
2e899cd24f9a958c280849d1abd690b61b82861819638003316e1d7f37f455c2

SHA512
6a26b6db1a27bce4d97536daae55c0c132020584e6373e1979dbc3de3ee9d9809910d045bfad96d77d36fcde0543c0c8643dde74692abdf65cf708181b3b1932

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc61FE.tmp

Filesize
660B

MD5
62ed7ec69d0684d2532ea7090897e90b

SHA1
953c9444bbe3efff4ac475d2c33836067e64343f

SHA256
995979464a91f6d5c1721a40b9558e7d913e0a17463b59ec69a81dcede1bd384

SHA512
1fde0a5823db9e1cae6fb3ee7762179fc75b853b95877a575ac0e7e5b3d3b1f616fdbd5b72c5f02902be35329e9dc05f46353ba30e0fc16516b9fa66548aae2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/796-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/796-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/796-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/796-24-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads