metamorpherrat | ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9b

General

Target

ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe
Size

78KB
MD5

981142d6e3ec027ba2f89a7418ce6960
SHA1

d6da101932c15a602f2620e6b39481592ddfa488
SHA256

ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9b
SHA512

2084152716e4ab94d80621b1ba0cbe4a271421ee947dcc8092c11e08119a119a57ab251d5ea6b10a9cf638e4cb090b84c09e5eb693a66d6c72fd5241e90b0716
SSDEEP

1536:2V5jSDXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6R9/i1ue:2V5jSzSyRxvY3md+dWWZyy9/C

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2252	tmpA969.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe
1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpA969.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA969.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe
Token: SeDebugPrivilege	2252	tmpA969.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2776	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe	30
PID 1372 wrote to memory of 2776	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe	30
PID 1372 wrote to memory of 2776	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe	30
PID 1372 wrote to memory of 2776	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe	30
PID 2776 wrote to memory of 2444	2776	vbc.exe	32
PID 2776 wrote to memory of 2444	2776	vbc.exe	32
PID 2776 wrote to memory of 2444	2776	vbc.exe	32
PID 2776 wrote to memory of 2444	2776	vbc.exe	32
PID 1372 wrote to memory of 2252	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe	33
PID 1372 wrote to memory of 2252	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe	33
PID 1372 wrote to memory of 2252	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe	33
PID 1372 wrote to memory of 2252	1372	ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe	33

C:\Users\Admin\AppData\Local\Temp\ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe
"C:\Users\Admin\AppData\Local\Temp\ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svtcjjhv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA63.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
- C:\Users\Admin\AppData\Local\Temp\tmpA969.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA969.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ffe4d3a9f5292a1d9fbed201e77258d06863c4c4ec0b63493be634f1fe047c9bN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAA64.tmp

Filesize
1KB

MD5
aef137002c205574013e1388ede69db3

SHA1
c67f54ae30e428ce0234dd8e27b5ca85fdf8fd66

SHA256
3791fa6712a2fd18a69421a9931e997ff386c31b653e144d5bd8030e3792a331

SHA512
28b57287db98cfd900618adcaa1d3db6de0aaac6c9665478312ecf1b64b7cf6dbf9ee45301be2eb0b522996c7b06f739fdfc66bbc71eec63866203be5229464a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svtcjjhv.0.vb

Filesize
14KB

MD5
4e945e2cedbed9e1f4637b0dcf10d6f5

SHA1
eec4a9b9fe85bfe6b31e86b939fda7aca76b5a7c

SHA256
b354b4a5c5343711010cccd43d7ef04131e84aed0f9022d86f13d9a9bd45daeb

SHA512
c9b66e2dfa7ebf4fedfa3c5c5adfdf41dd6f342b2cb5d596a332bf90114c11ee4df8ffde3aafe26ffd4670a8401fb926b5894d935a1fa3ee53c53bc567ce3fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svtcjjhv.cmdline

Filesize
266B

MD5
94324aa624d2c6ea1e955d8154d93cc8

SHA1
864d335e633a11223795d1734e618ec53935dffe

SHA256
50573f64726078134dfe6759bd089d7e93cdfd624e1e58ba75d2c577b872aa6c

SHA512
ccb4101bf2f9252dc166898cd0d7e0bedb50d593417ba125016acbe321af2a4bb3de826c2f15a1216aafa111c8a93aba4d96dabb2fdc8c84379306241f759230

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA969.tmp.exe

Filesize
78KB

MD5
1f297b0bea7e2a8ec68e598f3f424b45

SHA1
7b17b6029f74a672f0064d665e5481cb36f8b521

SHA256
45b841f0448737aac98570813e043649520e105eba7fa531b26d5d8a24d69bbe

SHA512
696e43825d76392b24a75476261e8ecce73424d0dafe6d0464e144fb7ad469c4f5b7cf296e49741386ff17724445a21d2c9703af8e6324ed31c5da40aea2b74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA63.tmp

Filesize
660B

MD5
cf9acd161af2abc02622cc778cc84512

SHA1
d601eee5524b4b17d850ddcf42bdaed4f0e9cdf8

SHA256
c67cbbc955eddc20d3c4e73a8b4978cc6d83406ec2144a1690cb3703de532973

SHA512
d4036febdcba1fc1bf59194b0651b2f915e5563a19b60edce3f3bee63c07603950565e139b9af314a1518f07444f4bb994cf5a1a8d04829b9c3742c649a111cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1372-0-0x00000000747E1000-0x00000000747E2000-memory.dmp

Filesize
4KB

Download
memory/1372-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-2-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-24-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-8-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-18-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads