metamorpherrat | d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff

General

Target

d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Size

78KB
MD5

429b87cd41d4e67b43010fbd651e2cd2
SHA1

8862545b217e67c7a037b2aa1c20e74d85cb8b57
SHA256

d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff
SHA512

84ed16a0031c02a93b0d188f09619bb0428c7d068af9161c2372b5a9f7b7c34ed784acbb5fdd2ed20ba0510ac87ada68a7e86ef4e500e59edbb19a16c19a09da
SSDEEP

1536:XuHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRK9/nM1GyG:XuHFon3xSyRxvY3md+dWWZyRK9/nIG

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2796	tmp84BA.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp84BA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84BA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Token: SeDebugPrivilege	2796	tmp84BA.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 884	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	28
PID 2904 wrote to memory of 884	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	28
PID 2904 wrote to memory of 884	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	28
PID 2904 wrote to memory of 884	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	28
PID 884 wrote to memory of 2564	884	vbc.exe	30
PID 884 wrote to memory of 2564	884	vbc.exe	30
PID 884 wrote to memory of 2564	884	vbc.exe	30
PID 884 wrote to memory of 2564	884	vbc.exe	30
PID 2904 wrote to memory of 2796	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	31
PID 2904 wrote to memory of 2796	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	31
PID 2904 wrote to memory of 2796	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	31
PID 2904 wrote to memory of 2796	2904	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	31

C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
"C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m9dsezv2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85C3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\tmp84BA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp84BA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES85D4.tmp

Filesize
1KB

MD5
e3c9bc358a254b56a42e2143f2105607

SHA1
c01d2d7f027edb5fa8aa44b748c0bf017126b987

SHA256
1f6567650188eb62be802cee9361b24b197943deaf5e40448afdea26f98dd635

SHA512
6650a915c29a725bbf4b46e98279a05aae22cd46eab096a6f91c85d09ac1f7af486eed97ebf8772e712829c7d96021a6e217657b7bc9a52e776563b9650c1517

Download Submit
C:\Users\Admin\AppData\Local\Temp\m9dsezv2.0.vb

Filesize
15KB

MD5
53125f48d9c57221a93dbd5178c0a27c

SHA1
35b9faac81013939b90c13564edb5097f60b2470

SHA256
f417fc559d0f23e5e111ab5778be41fc55347a938ddfebf0db054e744144b745

SHA512
85118b0067f221e044a494cabc81b12e1fb29ccd68d48976dc2e462d06b39ab5a8fa6370ac802f491ef6ca5589df3d1d6ba863619ff6c4686308f7a5f2b73ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\m9dsezv2.cmdline

Filesize
266B

MD5
371f6d454b47e05624eb9c6fa5d08b0b

SHA1
abb7c43e928b11d7c4dea8a0cc7e0debadb8d97e

SHA256
dab7c0ea8312187a9f723df52697bee6820dbe215ccf28b9fcd36cc858e3d45f

SHA512
cf034f23eef8fc9f1498407836bafb9bfb1b1b2ecc00a58bb82278aaeae10d6989b85351589dec12464645ed0ac78c9c9478d04159f1ca1eeddf8c68e253d654

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84BA.tmp.exe

Filesize
78KB

MD5
a1b43e257c115cc625356ea56b931beb

SHA1
d39c9151eb4f14e1940934646304ff62de49d853

SHA256
75f35385fcfc508becaf52ba60bd69de2f74abfe183fed3abcf810992eeed510

SHA512
5eabb53595b221897dd48b7f34b72476f724b7034cfafaed660a22a9a93329bbcb925d66006a6df69a6bfc5aeb12639a03bdbefb2b0bee6935b2c96e3475c8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc85C3.tmp

Filesize
660B

MD5
21252850552b35021e82b4c966794931

SHA1
4b8ce5b41364d54f7a9c993600100225f0d4b1ea

SHA256
d797b4fa3c69f791adad31998898b62cf8c33d91d74e9da8b042cb9c60fdac3f

SHA512
d7fb66e705afe3da1051f0ca28f92c71a4a935f6f4a75da5d7e373b9f17dc54e846cc28e7bd83f085c936cad17fb297c12e1682317e416177019129627e81e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/884-8-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/884-18-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-0-0x0000000074661000-0x0000000074662000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-2-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-23-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads