metamorpherrat | 127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6

General

Target

127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe
Size

78KB
MD5

c3425d0a26733fcb3b95d6e9c715de00
SHA1

a1cbdb8ffcae3e762086d0791ef938e3527af3ad
SHA256

127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6
SHA512

fcd60d671ee0dd7ccb5c7f44c6c20fc1d375007b4bf1a880d3cf7583cbae0846f3853a6828bb61d4efcd6c3be8e153b106330e7a722819b9e9a387d305a7f70b
SSDEEP

1536:oV5jS6XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6zP9/p1qh:oV5jSiSyRxvY3md+dWWZybP9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2624	tmpF612.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe
2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpF612.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF612.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe
Token: SeDebugPrivilege	2624	tmpF612.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2680	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe	31
PID 2756 wrote to memory of 2680	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe	31
PID 2756 wrote to memory of 2680	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe	31
PID 2756 wrote to memory of 2680	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe	31
PID 2680 wrote to memory of 2160	2680	vbc.exe	33
PID 2680 wrote to memory of 2160	2680	vbc.exe	33
PID 2680 wrote to memory of 2160	2680	vbc.exe	33
PID 2680 wrote to memory of 2160	2680	vbc.exe	33
PID 2756 wrote to memory of 2624	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe	34
PID 2756 wrote to memory of 2624	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe	34
PID 2756 wrote to memory of 2624	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe	34
PID 2756 wrote to memory of 2624	2756	127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe	34

C:\Users\Admin\AppData\Local\Temp\127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe
"C:\Users\Admin\AppData\Local\Temp\127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g9cxkbqj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF816.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF815.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe" C:\Users\Admin\AppData\Local\Temp\127927fd121b31cfbb7b2e32f7632890ac31cbb36aa76209680387505835c7b6N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF816.tmp

Filesize
1KB

MD5
464b302204b2983721826be39f251f04

SHA1
21c6f5658e6de7ffe0e5da313b79e1d3ecce5e44

SHA256
ae83b43ab2be384ff6610b05e215d2a04a26602f9b28b3a158da42503dbf184b

SHA512
ce753eea3df84e00b00f3cc8b134b580ad5e39468e2574b40a1c7e7059fe258e67e5f58274546785d4aa84fc64844584f741f34401c7fdb3555fa5365bd5e27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\g9cxkbqj.0.vb

Filesize
14KB

MD5
0e3c4b076eca85618f55d392988950ad

SHA1
75d5ebb52a9dc6e8215848eb474cba545ecd33c5

SHA256
c7d286c2081f93a550e7f394dbda1b98d679033c9f16b5f20ccb41c17f0debc1

SHA512
b5b056df33653ac42e62fac598728d2b47af0378fdfdb1c9d01f9473fbcb73c01c842cb5a746667ccfc6999694d03f5d29a57346978cd9e1aef08824d4127d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\g9cxkbqj.cmdline

Filesize
266B

MD5
3da718f6d5b478dbaef736c408b07b4f

SHA1
d74bb4ebd92a26ebb01523c9c350b7e140a1676d

SHA256
b2292dcbffe368fb6c1e74c163b69b952a224d409950f6e48c81bf562ecfd248

SHA512
73cd4733b8af95cdaabd3c21dd03c773c28fa70f3787f2c7e3bd32031d022bb7d4a3f3fa421ef8cdfd7bbe846b1b7981255be82de208d4c4468f928d48b23336

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe

Filesize
78KB

MD5
eb3b1b6261621b264a88121517314355

SHA1
19cd25c3add48cff6cc941a7858f8eb9baa97986

SHA256
8a610fdca6bf37255507e57689cc5a27b8170eb0cda71713355117da9133e0ac

SHA512
c7da1b8192cc68a7460274ce20af993f122d870b5cd0b01c494640156a417d3f8db48fdf4206f386080e10dd0cd2ea71ed1841233e199f41d14e7a70d58a0fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF815.tmp

Filesize
660B

MD5
9b28a743347c76ff1aacd6d03d714318

SHA1
50fccd3bcdc140de4423e42d84b87e01fc8f4e0e

SHA256
3277025b2941d239c105c4e41d69991c7f8c4184157f664238a22a63d1a9d2db

SHA512
603e328d83632a6fa9682a7264b76acaf95e4b91555df602619ae93a861606997367af090a757d20415f5ab8428db7694e97f1ae4d78458a88256b88f5ecf0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2680-8-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-18-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-0-0x0000000074081000-0x0000000074082000-memory.dmp

Filesize
4KB

Download
memory/2756-1-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-6-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-23-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads