metamorpherrat | d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff

General

Target

d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Size

78KB
MD5

429b87cd41d4e67b43010fbd651e2cd2
SHA1

8862545b217e67c7a037b2aa1c20e74d85cb8b57
SHA256

d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff
SHA512

84ed16a0031c02a93b0d188f09619bb0428c7d068af9161c2372b5a9f7b7c34ed784acbb5fdd2ed20ba0510ac87ada68a7e86ef4e500e59edbb19a16c19a09da
SSDEEP

1536:XuHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRK9/nM1GyG:XuHFon3xSyRxvY3md+dWWZyRK9/nIG

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2476	tmpB903.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB903.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB903.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Token: SeDebugPrivilege	2476	tmpB903.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2304	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	30
PID 1724 wrote to memory of 2304	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	30
PID 1724 wrote to memory of 2304	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	30
PID 1724 wrote to memory of 2304	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	30
PID 2304 wrote to memory of 1484	2304	vbc.exe	32
PID 2304 wrote to memory of 1484	2304	vbc.exe	32
PID 2304 wrote to memory of 1484	2304	vbc.exe	32
PID 2304 wrote to memory of 1484	2304	vbc.exe	32
PID 1724 wrote to memory of 2476	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	33
PID 1724 wrote to memory of 2476	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	33
PID 1724 wrote to memory of 2476	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	33
PID 1724 wrote to memory of 2476	1724	d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe	33

C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
"C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddd7lonn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB990.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB98F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
- C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB990.tmp

Filesize
1KB

MD5
c6baf0eb8eee3af7644c66107f3fcf89

SHA1
397c7ed3f0b6d242d601524172af72acb9f12d52

SHA256
d3161fc3dd1172fa95b8a9e533e443d81865345490f802d29bae3cffaba34d74

SHA512
d6e543932b22d98ce3f9d9bb305c20640985b9bfcc7b724b38b3039333c52c14e0dde6accb0c05b622a6a3591a6d87c4f9f5a25c5d93f5b694c292e6a6e7f4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddd7lonn.0.vb

Filesize
15KB

MD5
71c82da5d8a93c98d5520f1d237644ed

SHA1
6572b1f4c19858744fa132fb09c5d39293dcb4e7

SHA256
c8ec7d8b6c913f3108725d6aa3c9684a22913912ba2875e7292c1ad9a467f568

SHA512
6b05bd655782fe7311e1659a63cd4cc06e7f4368f5e69f8314ae5852e7f5b57cb833433d3737f29ee67b7bf95ea1211752ecc17d72c6dabd4da319bb9dae19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddd7lonn.cmdline

Filesize
266B

MD5
41d19e3f54f740e28fae5d85ea0c869c

SHA1
a1ccbff2a8dc1888cea336d9b1662e09cf294022

SHA256
407bd9e9880e649501e049d51532b297f370040ae3f0df022e697eeb553f984a

SHA512
66f0186dbdb9d820f216a34d4a2645f0af7bf69a2acb2a6bf774094c3eb32d15b2af56e5975bb18ea7774cec094bce64a320885677d83e83a329e9725bf8bc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.exe

Filesize
78KB

MD5
b9f1e60ba9f06362e45cdb77432c9d35

SHA1
d933f0f6d98e2a0deb229164bdb5118aae97be3b

SHA256
1824454f904eb09158896f2b51f8422149f272404bbe962794beee33c5747986

SHA512
54884e4a50bafa1ec8837e75305166d68f5d58feb9e552bad8b7d66e6f15f33e3be66737207c7741b8237064af1a31dfc5cfb24659c6cb27b001d6462b97080a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB98F.tmp

Filesize
660B

MD5
a404d2e3c9c96a1b774d6ffc6d9958d4

SHA1
079a08d743bda588bdc4be34103fd96fd556f508

SHA256
ac757903db9c7d22753f41be1c95ec46969072882eda870eab0269885650790b

SHA512
db4bdd8c9b4d470c9e3a0190d20585698118721134274fc9ff60a0992dc19a03a2a4b21f8bc325c5cf01386db6e902550f6ad21109e0549ba78e2fdf46709a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1724-0-0x0000000074771000-0x0000000074772000-memory.dmp

Filesize
4KB

Download
memory/1724-1-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-2-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-24-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-8-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2304-18-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads