metamorpherrat | c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9

General

Target

c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
Size

78KB
MD5

85033b49c9ac41e0c9bf581ab2bcb550
SHA1

de84c29eae054377ff594acda306def1448d3ce6
SHA256

c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9
SHA512

001609c9190f506833a56bf273bc62bbfe2a5b7692275e0eda543599f9d55cf1584023ab87fe5e5b4e2d63951f25d505b8f949645e7a33b5473714d826ecae26
SSDEEP

1536:OPWtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtS9/K1+m:OPWtHFon3xSyRxvY3md+dWWZyS9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2508	tmp5A40.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp5A40.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A40.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
Token: SeDebugPrivilege	2508	tmp5A40.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2608	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	28
PID 1672 wrote to memory of 2608	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	28
PID 1672 wrote to memory of 2608	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	28
PID 1672 wrote to memory of 2608	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	28
PID 2608 wrote to memory of 2812	2608	vbc.exe	30
PID 2608 wrote to memory of 2812	2608	vbc.exe	30
PID 2608 wrote to memory of 2812	2608	vbc.exe	30
PID 2608 wrote to memory of 2812	2608	vbc.exe	30
PID 1672 wrote to memory of 2508	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	31
PID 1672 wrote to memory of 2508	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	31
PID 1672 wrote to memory of 2508	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	31
PID 1672 wrote to memory of 2508	1672	c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe	31

C:\Users\Admin\AppData\Local\Temp\c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
"C:\Users\Admin\AppData\Local\Temp\c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p2mgf89b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B2B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B2A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\tmp5A40.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5A40.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c19abcd58268dcdfd58cfb37ebbba3220d2f2d421af4858a28bcadecac77edc9N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5B2B.tmp

Filesize
1KB

MD5
305335fb60ac86951b8d599682489fde

SHA1
7ac6ee04f4b1d090c971d59c31bee3b31f488fae

SHA256
59a35e28f6b84ff8c2584d5796e34280dbd51a120e8984a1b222359db97975bd

SHA512
974fe00b9f72812993f8dce42ae80d9d09f4beac108120d3ed8d297fc5d8580e5f969161eb197e956a3d82d12b983514564a51197015ceaeb0683c3a60324bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2mgf89b.0.vb

Filesize
15KB

MD5
cdf2ba349b1d4ee4e52fe6f8f32647de

SHA1
98a8676943456d0526833d95eea4a1e000a201f6

SHA256
b1a3e0601e7ff811d4892962331b2c88c0300587dc69987bab02fb0a2e3b0770

SHA512
2c5557d85edff9c226dd38ba4574efaa3be9b5b2bc44f4f76be1ba00568a52a1d2adb1b6fccaddf01a5134458244b9e545b6b0687c003b8927043839c662ed8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2mgf89b.cmdline

Filesize
266B

MD5
56d81a07bd4761a43b2d989a0ed79141

SHA1
dc3a5eca721a8afe9a43708854dd84d55243456a

SHA256
31d4837dede8ec0055779cce7bc0cfa3ace8ddb33a4078dc0259b828c1f8bcb4

SHA512
ff220601748366218b68fda0a5d176b56d89b1afb9c5e631c652836bd45f441a40d70a5081ebeafedd02088d94c29dadbac742645228af5f05b6bb7333695d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A40.tmp.exe

Filesize
78KB

MD5
09e00a4e5826e7d11aab4401ba0db8ae

SHA1
85194b7148b85cf43a37f13e0d76205012e2b670

SHA256
25ff6dcc606d174236585f58e0bb69464796016360ba81bca2785d6d61481e48

SHA512
92d2ea66fff0e9fdc29430c6c3258122a112b2004d1bbe73188669917b3cbc30e7cf497743bc7a2e8c3f652dcc631d939dbe5b72c5594719c76876f501f00ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5B2A.tmp

Filesize
660B

MD5
ee856a7724eabaa55956facddeff59ec

SHA1
f0fd0c315da8588ce9f40e5a9298b8232e52f0df

SHA256
f33f3c2cfbcef20f7810b8fb35d8e49e29a1e50fe18cdeaf187fbcf0eb345680

SHA512
0849760a61510fe42a86cbb34a10fc0fbd379e20700df7711e81e1af4493353f7f56480876e2bd9e834d76bd7ab1b10b36c73d70d945ee9435e60564be26d24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1672-0-0x00000000745B1000-0x00000000745B2000-memory.dmp

Filesize
4KB

Download
memory/1672-1-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-2-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-24-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-8-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads