metamorpherrat | e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e

General

Target

e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
Size

78KB
MD5

23dafd8e528d068d04df141bcc9de510
SHA1

25c0b269b1ea02be114dee089d86b970fa631184
SHA256

e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e
SHA512

34a6070bca3c1f86c6a48e6b50dd81b84d4d32be500e92d344bd6a6695326affa26091626b0c0abcfeab166f2f811abada69e95761921c4f9aa80d0815a36257
SSDEEP

1536:EzWV59XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96CV9/JN1uNL:qWV5tSyRxvY3md+dWWZyfV9/JaL

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2960	tmpBA69.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	tmpBA69.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpBA69.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA69.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
Token: SeDebugPrivilege	2960	tmpBA69.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2316	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe	30
PID 2236 wrote to memory of 2316	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe	30
PID 2236 wrote to memory of 2316	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe	30
PID 2236 wrote to memory of 2316	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe	30
PID 2316 wrote to memory of 1740	2316	vbc.exe	32
PID 2316 wrote to memory of 1740	2316	vbc.exe	32
PID 2316 wrote to memory of 1740	2316	vbc.exe	32
PID 2316 wrote to memory of 1740	2316	vbc.exe	32
PID 2236 wrote to memory of 2960	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe	33
PID 2236 wrote to memory of 2960	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe	33
PID 2236 wrote to memory of 2960	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe	33
PID 2236 wrote to memory of 2960	2236	e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe	33

C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
"C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o_9a80pg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBEF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- C:\Users\Admin\AppData\Local\Temp\tmpBA69.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBA69.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBBF0.tmp

Filesize
1KB

MD5
668e6b47fd7393a67bf384ea4d7ed2f7

SHA1
e5756ad1fa346798ad2d577366cd62ab8bf9e6ec

SHA256
96de15bbb75fcc60f5ebe3adc129818d8b4072cc5b19b7bfe9d40d888b4cfeef

SHA512
6f9a69ee98cdd84965f6404649e326fa12f2d78ebc894cb03b3099a8bd4cb3111927959925129ef986d7da2ba7350a57c1b37d568670712b28d1c3827ab63ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\o_9a80pg.0.vb

Filesize
14KB

MD5
86165dc8cb77e0fa0d3692198506e462

SHA1
0c0e6bd9977d8b6babefa5b8ca8ecf8583be36b6

SHA256
635b98737635a66debee752a9a3b2f7f33588b64d1c08ff054a1644e7b9b8303

SHA512
90cb22661a85b99a82e2cac13b54af33b8d34dcd85783de7dcc4781e79e2992628bfc1c2822e707f9fa8a8207420e2194d1a79fa717c1beb6e213689929c320a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o_9a80pg.cmdline

Filesize
266B

MD5
5b58648f971b56940a5d08d880ecc2a9

SHA1
cefe0e5313edbf22e34389c81b22667ed97e4fea

SHA256
5afb02f84f51609dde1becf6c443ac7e435f014c5f67cfd97dee370e63917453

SHA512
c9d5902ce3762aa1c34b05cb37c9c81a125a576ae4686484fd821f965b812473cc384781829533c0c1ab91926111c85810a005a9a3f97b9f78f0ba5628eaa57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA69.tmp.exe

Filesize
78KB

MD5
069fc59486ea53f40ea56662331a37b7

SHA1
772a21340ad80ed6e4f24401763f09702696ec0c

SHA256
915ce9815bfd28559b6e7b04b36f0167a1c1cd6ec30335da4a204063445a206f

SHA512
e1739025f7421f6afd0feb40ebe2ac3035e688d7e5be08ee15a4bf5cb69bf91bc29ca8f5c045c23154adcf0b3cb55c07fc36152106a7286a83c39412d2996282

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBBEF.tmp

Filesize
660B

MD5
2acad230a30728a9780b35fdc85d71a7

SHA1
afb9c8832d1ebd1c36109c344f6684c4ded7be3d

SHA256
fddd400cac53170f1add4a4faac18900aaa51fadbbbe4ebf15dc6881b54b4015

SHA512
511d2b7bdcc6ba5729bfb5a812fecb9cf78b4f1cd01f81a0ecf229d33fef22b436eb9c27ac1e9e499f67d47d60d8cfa39e0e5bbe69eaaf92e2f30a022e2e3a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2236-0-0x0000000073E01000-0x0000000073E02000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-2-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-24-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-8-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-18-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads