metamorpherrat | 9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648

General

Target

9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
Size

78KB
MD5

bcf13ce78e5d7cd417e5f2ec023b41e9
SHA1

445259463805fd75f206b2bb6a3ad0d7024ba703
SHA256

9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648
SHA512

508c45c3ef133a8caffce4c78ba8773524ac0ce42cb04c592ecb842aa9cb4e46565fc5158847d0ac082c4a69da70eb95994f74ac40b92e78fae42c6e560044a4
SSDEEP

1536:tCHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQth9/C1xgk:tCHF83xSyRxvY3md+dWWZyh9/5k

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2840	tmpD28B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpD28B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD28B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
Token: SeDebugPrivilege	2840	tmpD28B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2776	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	31
PID 2116 wrote to memory of 2776	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	31
PID 2116 wrote to memory of 2776	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	31
PID 2116 wrote to memory of 2776	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	31
PID 2776 wrote to memory of 2076	2776	vbc.exe	33
PID 2776 wrote to memory of 2076	2776	vbc.exe	33
PID 2776 wrote to memory of 2076	2776	vbc.exe	33
PID 2776 wrote to memory of 2076	2776	vbc.exe	33
PID 2116 wrote to memory of 2840	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	34
PID 2116 wrote to memory of 2840	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	34
PID 2116 wrote to memory of 2840	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	34
PID 2116 wrote to memory of 2840	2116	9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe	34

C:\Users\Admin\AppData\Local\Temp\9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
"C:\Users\Admin\AppData\Local\Temp\9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfq27ifh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3C3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- C:\Users\Admin\AppData\Local\Temp\tmpD28B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD28B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9ecc3caf5f3828e147ecf6093ac48bd8c84066501731b781b9c2499a16239648.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD3C4.tmp

Filesize
1KB

MD5
b4c380e03a22fbd3090ea5297090f6c9

SHA1
7f1a44152b02e7765b9a5e84465c2309ebb66707

SHA256
202b881cd55fe54480a99a33459b5e3b38d18895eb28260b1deb071b150fef57

SHA512
779f0f397017144ecd36ffb7e92851cd87ab60b93489452258df9667bb055e71ddb6ff01308e1db8fb9c1c15abc6258059df7485a488fda37131543e9a467f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfq27ifh.0.vb

Filesize
15KB

MD5
dbacbc1cf780a9aa98458e26434a351e

SHA1
be393182e7ee19b6197e28c831459ace065776be

SHA256
19cda471bdc82494e6869068ccb14ef44dc4e0cde5a7f208bd7c4cc278690e29

SHA512
fb37c96368671a909978c77bb5966c00a2415c4657b90c6159ff2c89728d6e1730fb9d46a38c512cbbcbe9110d868b279246f6409eae77264f1ad2e90c5e378b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfq27ifh.cmdline

Filesize
266B

MD5
ff2a3a44639229905d25baa503f8345c

SHA1
ecdbae78d096617cb8f3ac87cd216d9ab6896a0a

SHA256
787ede04daffeecbd7932044d67e7dff6ee3692a1db08b7611bb3ceb2b1d419a

SHA512
234e4fca688f6df45157171d3a5bad3f35c0146d7af220fd4c04a66e158f2a8cab045ab397cf4ebac6ea82ae811e90e493878479a929c609eefdebb3c0238dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD28B.tmp.exe

Filesize
78KB

MD5
9397a76525624fbd269cea3d63ee185f

SHA1
787aa6fb8cf3cb466f75c69b6a26e3807ea51788

SHA256
634e9f0bb3ddd472d2af31e042d841263ccd48e63d0dace1066fa5456bb6c90c

SHA512
64f59f05e534d9cfd8b9ab925f37d01fe8943c83dda7a49ba7a923a5a04e32c2c02ffe9ac86ca46069b087a91b70fe87d6d738b11e1ce4e95036a8057e0afbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3C3.tmp

Filesize
660B

MD5
a46cda2e1ccb74836fd18606f506540a

SHA1
369fea73183ad60df120fef8bc321c72bd5d5b13

SHA256
49db7c612d3d6d6c367aac1b8d8b9c8601d3a7bac5fa676b03d6bde118916bfa

SHA512
453ec4fb79b59ccc9275673ad947f3deeceed875e3a7b72e64a51102becb8d5b4cf5dc87e1f64d923f82fd2c1268dbe744f9c90002137074e958ed9fdc089e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2116-0-0x0000000074791000-0x0000000074792000-memory.dmp

Filesize
4KB

Download
memory/2116-1-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-2-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-24-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-8-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-18-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads