metamorpherrat | 14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8

General

Target

14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe
Size

78KB
MD5

aa170c1bbccc689682c8a5af62be52d0
SHA1

b95d1cda69967049a44a45c42c7671145abe2923
SHA256

14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8
SHA512

045da819d4bafdf196088000c226d774058a002a339625be04cb440d5d241cfcd1d3269c76b18380ee716c7c16c5cb5563e07716e71b9e47ac6272d7111f6f78
SSDEEP

1536:AhPWV5jNXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQty6V9/Uo19/:8PWV5j9SyRxvY3md+dWWZyt9/l

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2668	tmpD4DC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe
1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpD4DC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD4DC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe
Token: SeDebugPrivilege	2668	tmpD4DC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1860	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe	31
PID 1920 wrote to memory of 1860	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe	31
PID 1920 wrote to memory of 1860	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe	31
PID 1920 wrote to memory of 1860	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe	31
PID 1860 wrote to memory of 1864	1860	vbc.exe	33
PID 1860 wrote to memory of 1864	1860	vbc.exe	33
PID 1860 wrote to memory of 1864	1860	vbc.exe	33
PID 1860 wrote to memory of 1864	1860	vbc.exe	33
PID 1920 wrote to memory of 2668	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe	34
PID 1920 wrote to memory of 2668	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe	34
PID 1920 wrote to memory of 2668	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe	34
PID 1920 wrote to memory of 2668	1920	14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe	34

C:\Users\Admin\AppData\Local\Temp\14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe
"C:\Users\Admin\AppData\Local\Temp\14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f9ok2f8c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD634.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD633.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864
- C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\14fc04d57e2a0207f349a2a140340665679e699f8e90efa7e5d29f0026bd63e8N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD634.tmp

Filesize
1KB

MD5
cff63248f232deffc182caf16821ea44

SHA1
3bf61da5ac869cf96afdc22fa8a8b9f0a321e10a

SHA256
32b85f0cb573887550d490c2baf270bb17f3f69a663972dca886f1acfd23469e

SHA512
fd81788442da4a930d55e4b3984c57dc46429bd5fc156e1b49cd33c7dde08a069686da50256058ae1ea762a9a1e6a18dfb80153c5020c5c369160fdc33716995

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9ok2f8c.0.vb

Filesize
14KB

MD5
05dc7fe6f752662f7751a21d8d3812e9

SHA1
13dbf16ea60439ebd870eb3e71ae4fe3efe38a90

SHA256
aa43be7dffc66b1ee602bf220fb35c7ae193cc80cc1b685b040eefbd23dedf1d

SHA512
6f2d94d595a7cd21805ddff4f2ae0e1ebd71a8d7691bfb94044de2bc29dad24ead8b8e858cf10768ef12d8f2573627e047a8572078d21afa77b852cc64f3bfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9ok2f8c.cmdline

Filesize
266B

MD5
b9da45a5a7e560d303dcca3e83a32ec0

SHA1
0fbcbae207b5db75cbbf53b40a10b7ec8b97ba6d

SHA256
54cb6afcaaa97bea8f337a70ea466d8fe3192a28c08050ef929728f2c782d402

SHA512
e4d7ba9ea9c166463e93e97be54fd7bab70cae33d8477aa95b530c5f523512afd36cef3da99425af6682743247cfd037227d744e6ad3e95bae78878d52008a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.exe

Filesize
78KB

MD5
a4f1d90b7843ca09654531951ebe93b8

SHA1
8f0b453306d3c7d8923081b385ccc0fb464e59c9

SHA256
30f9236bfb50336a34b052b7fbc5a738e582cef777c79ce860864a20d9fccaa2

SHA512
250f4dfc9c5babfdcf54fd03e53c30f9a53f5e832b2d362ab9e269331e05b659a677dcb2de25c24725d37435680e81d6cd05ac3ee01228188227a09d75150452

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD633.tmp

Filesize
660B

MD5
027037a54e3724526e94932b5eb7b75b

SHA1
1ea57ee91d540d505cd8266683d1c7f396baea53

SHA256
cfd4e1fb49f9d78143bbe04d469a023678ce7e23828e0d6476d807eea8138246

SHA512
c46e31b9e22a6fddc04f45739e62fed2d1ff12aa951d26208fb79c500376f47748ff11c86bfe8c322afae80bdb09a61eb3ecd5d1ffa01975bc7c1994fe78c1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1860-9-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1860-18-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1920-0-0x0000000074B01000-0x0000000074B02000-memory.dmp

Filesize
4KB

Download
memory/1920-1-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1920-2-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/1920-24-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads