metamorpherrat | 694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004

General

Target

694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
Size

78KB
MD5

f38f16155e35c28c33fb7ce108438bfe
SHA1

aa8ed54feee96ac1a3a846251e3b8ab135bf1718
SHA256

694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004
SHA512

fe2038cd79e851786909c79cfc9ff38e1210c378bfd31ab0791563f8930d1b1ba28ff4f0501404a01753188f14db3637a35a2557935c8e850b56d6ab935ca7ff
SSDEEP

1536:We5hXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6g9/F1hnT:We5hSyRxvY3md+dWWZyP9/JT

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2520	tmpBEFB.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpBEFB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBEFB.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
Token: SeDebugPrivilege	2520	tmpBEFB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 2608	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	30
PID 692 wrote to memory of 2608	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	30
PID 692 wrote to memory of 2608	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	30
PID 692 wrote to memory of 2608	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	30
PID 2608 wrote to memory of 2216	2608	vbc.exe	32
PID 2608 wrote to memory of 2216	2608	vbc.exe	32
PID 2608 wrote to memory of 2216	2608	vbc.exe	32
PID 2608 wrote to memory of 2216	2608	vbc.exe	32
PID 692 wrote to memory of 2520	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	33
PID 692 wrote to memory of 2520	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	33
PID 692 wrote to memory of 2520	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	33
PID 692 wrote to memory of 2520	692	694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe	33

C:\Users\Admin\AppData\Local\Temp\694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
"C:\Users\Admin\AppData\Local\Temp\694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6199tgyc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC044.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC043.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\tmpBEFB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBEFB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\694828280047bcab220a338eda3b12a9c9a0eb605559036eb93bf00ee0bf8004.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6199tgyc.0.vb

Filesize
14KB

MD5
f143044e956be073f95f41800644cf12

SHA1
cdb35e381b1fc1e2c935b398f618ac0c764bf69c

SHA256
73780d72bb44fa255eaaaf54faa7fc3d78af99f1c1ffaeac04f588922f19d3ff

SHA512
34b097eaa49dd90b5c994000e0b182889dabe8fbee25eeb28ad37794497fd7a5a0cb632d331fa7eabf78bac56abd15fef9c5b13179d3990cae94cfa97da5335a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6199tgyc.cmdline

Filesize
266B

MD5
6c492b9dcd683abe2fc129436e6d4ee1

SHA1
d000504787784ef469ad97c5f7d5a3f9b2328d50

SHA256
daa0a4588c4d8a65d80e23e24a124d7ca9456b475180c56d849c773dc53a3e93

SHA512
4ce885074ec40da04779c09ad47cedb7e0f7ea343f6b78d287c58d95265c669c7a5628b047541d7a42123988a5cf39b297d9090aeb71fb2a1cecfeb114e4eded

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC044.tmp

Filesize
1KB

MD5
7e55a782e77d762af848c4ab057d13e7

SHA1
5b58e90c86fcedae853565242a59e2975037fa6d

SHA256
0d1f0ff48c5aa8d600e06fb46780d6285606151c7ffaa4fa498a5ff3c3837279

SHA512
0f11a79d53b0acaee726ebf9f91b66477e731d8051fb0c94373d7d1f62f558017a8e5a6ba9686df55194dac534f1fb61b8c43da75097d1f68c1741c18c33a0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEFB.tmp.exe

Filesize
78KB

MD5
e5fa6d6b6a5e2133a7fbb5769cfcafab

SHA1
c201bb3e3ec5617804b0cf57c9763aa844ffdee1

SHA256
a362cfc59a0030580b1ed8f77b3994cb0405ba938975c1197630caf004a4de1e

SHA512
99fe9bfdb9e0ad2dc16c30b20866e6decbcd3e684d71b0bb73a80a81e5f3914e1d8bc842767990ff3c7514e457434e5b396d67772848b3db07b1d396c97d391e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC043.tmp

Filesize
660B

MD5
e59f48a7e430ad008dd6a9a51558e2ab

SHA1
991dded111fcc08619ad67063f6c1b5ffde5005a

SHA256
96f2980f85b55adc55bb9578115c45f6eb041f4b5f4df2f43d4c9e7dfa7fee0e

SHA512
931569e7b8dc4ea9d019a3978a5eac11338d0fa3acf0e4605c27092244e6539262e188e1e81ca080b94dbb9d0b4d9d043a4638b28d8aea6d09aec078f750c527

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/692-0-0x0000000074481000-0x0000000074482000-memory.dmp

Filesize
4KB

Download
memory/692-1-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/692-2-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/692-24-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-8-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads