metamorpherrat | a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1

General

Target

a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
Size

78KB
MD5

28af51a35d70018df036bd9e2671d459
SHA1

db708249b254953514155377c61b322cb21886e8
SHA256

a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1
SHA512

82a3151d1d25825b89136aa72479f2d399ff583f19d97a278c8f9a26599408b3e961e39b1d856d7b0b6facb8a35607f4245920097b92533cb327fb91deb61f76
SSDEEP

1536:ZRWtHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQteY9/31Ek:ZRWtHYn3xSyRxvY3md+dWWZyeY9/r

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2452	tmpA9B7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpA9B7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA9B7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
Token: SeDebugPrivilege	2452	tmpA9B7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 2696	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	30
PID 372 wrote to memory of 2696	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	30
PID 372 wrote to memory of 2696	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	30
PID 372 wrote to memory of 2696	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	30
PID 2696 wrote to memory of 2240	2696	vbc.exe	32
PID 2696 wrote to memory of 2240	2696	vbc.exe	32
PID 2696 wrote to memory of 2240	2696	vbc.exe	32
PID 2696 wrote to memory of 2240	2696	vbc.exe	32
PID 372 wrote to memory of 2452	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	33
PID 372 wrote to memory of 2452	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	33
PID 372 wrote to memory of 2452	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	33
PID 372 wrote to memory of 2452	372	a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe	33

C:\Users\Admin\AppData\Local\Temp\a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
"C:\Users\Admin\AppData\Local\Temp\a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qmgzs2l3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA34.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\tmpA9B7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA9B7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a5fcbd78a8ba8bc10583bb3f993ee3ec743e786773d2800a6f8cd6e871de6bb1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAA35.tmp

Filesize
1KB

MD5
5d277cd9725f3ec46d5abe45a84686fd

SHA1
fb4605206da9f167d45559ad3d55a64dbf7a7963

SHA256
f53b15fc519a493bc619ac18076ed464bc12a463d606a09edc7b7377f942a158

SHA512
de28a47164ad7b7561dd0e447a704129609b9d84201d25253f246d8736ee673a692829c852af423c156ea44d612455610d9abc55158e6ba5d74dff1f703d39f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmgzs2l3.0.vb

Filesize
15KB

MD5
36dae9f5e351f516677b212144042e52

SHA1
6cc54a665df9a40e7145bc287eb4f8befcb69540

SHA256
4535439b8a9bedccaedeb07d54fc83119cda83eb8ea81479c1cc1c552b369858

SHA512
9af09aa01bbde1d793dd1107d34414331b8981afc7bf3e97feb7f892a4bb08f5db5fa4bcd2b2507131db8b1f862dc4021059ce2740da432d717110dabc975dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmgzs2l3.cmdline

Filesize
266B

MD5
a8af5b7189adeead83d6f5332704f38b

SHA1
bc6fd83a7df3b335d18d418e49976b9890942e06

SHA256
13b5d303ae730d8d8706ad633c4b7036ae295f6006969aeab3a59a899726691d

SHA512
956d2a86d1c7ac213a1443b1db439837b4441f27f77b9204dbafaf702636bead8678fd526056c6259d0ac524471d042b571fb1d41ddb6e3c5d5f1b56ac230a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA9B7.tmp.exe

Filesize
78KB

MD5
c63c98988eb0ae9ffc20f05e864ef66a

SHA1
9f3d86e52eb98c35d094db719946083af2a60b60

SHA256
2fc7a558a6011560fbaa1523da4075139655164d47ec5f1a681a2d8193a99200

SHA512
2fb91aeb1e81ea334c8dce6f57d918dd8715c6e62e9eb9bb3fc6e16cb9f284953efa7deebf6f53703bddd60747551b4433474aa8e1c2c8c7129042b94ddb10a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA34.tmp

Filesize
660B

MD5
b580ceb585d5b92c95c8f8d43ba3f0e9

SHA1
b5bb14583a27f215cde0a9239953bfa1637ed79c

SHA256
9ddd49b410332bffc414fc02c4ff0108146069dc0dd0a7670dac7c57a0384663

SHA512
6dbc13b6017423504e40fe27e053bf5356d6b173e48e7df0070ec564ccea82d89e692687755cd9c0a67386126fa9663f2d81496f0b5f315f93725eeb0b72e132

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/372-0-0x0000000074841000-0x0000000074842000-memory.dmp

Filesize
4KB

Download
memory/372-1-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/372-5-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/372-24-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-8-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-18-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads