metamorpherrat | 40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4

General

Target

40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe
Size

78KB
MD5

f5fb9ed4b09c2513fd9871765ebd313a
SHA1

e0c02c368a9eecedd54488412ce6d2db8c99372f
SHA256

40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4
SHA512

c5e75f3d011c8edd82202502e3198c40099a21d4b62160628006e5a2ff18abbe0734ad77a5569fc51523c983bfb47c96c6185d47c825541cf27af8b01239597d
SSDEEP

1536:S5jSDXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6P9/94ae1xS:S5jSzSyRxvY3md+dWWZyY9/F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2972	tmpC581.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe
2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpC581.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC581.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe
Token: SeDebugPrivilege	2972	tmpC581.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2412	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe	30
PID 2100 wrote to memory of 2412	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe	30
PID 2100 wrote to memory of 2412	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe	30
PID 2100 wrote to memory of 2412	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe	30
PID 2412 wrote to memory of 3036	2412	vbc.exe	32
PID 2412 wrote to memory of 3036	2412	vbc.exe	32
PID 2412 wrote to memory of 3036	2412	vbc.exe	32
PID 2412 wrote to memory of 3036	2412	vbc.exe	32
PID 2100 wrote to memory of 2972	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe	33
PID 2100 wrote to memory of 2972	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe	33
PID 2100 wrote to memory of 2972	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe	33
PID 2100 wrote to memory of 2972	2100	40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe	33

C:\Users\Admin\AppData\Local\Temp\40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe
"C:\Users\Admin\AppData\Local\Temp\40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyu1nrtm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC66C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC66B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Users\Admin\AppData\Local\Temp\tmpC581.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC581.tmp.exe" C:\Users\Admin\AppData\Local\Temp\40cc4b3a2983dcb2ee322789b4b4eb143b1787890c89b1ab07aaf70567c9eca4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC66C.tmp

Filesize
1KB

MD5
9903becc084beeca1c9a2c77e2333cf2

SHA1
b06ea192e27ea81e5649d9167eb3bf528517767c

SHA256
2d487e2e8cbe6f744db90dd6eb3282b02b6dbe43d0d9f6734e5d155960741abe

SHA512
54c85ebcce1ee75a59eb8f6e1fa2b5fd656128b7b74720d9952eb86a79be2748dae0abf08788dbdf15f0effeac6a46cb4f4d7f9c8d247c1837017d9985da8485

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyu1nrtm.0.vb

Filesize
14KB

MD5
f4b740b030131741fb2aa04308214a48

SHA1
976c77a31814870e4a0b7a45ad1c8d39b1a668bf

SHA256
fc805da0ae3cdcff6f42dc21d532f561014d3ed888ad527c601db3bacf2153a9

SHA512
66a2ce66310c072530bcf0aa1432cc6e8da8070f64ef518129970796c03d0dd46208b036aca7ac5a23a63ca4c57cece19479def040006c678d547545be05c372

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyu1nrtm.cmdline

Filesize
266B

MD5
cd287ee0080e0568c826e988f5703063

SHA1
ceb74584a3679ea201158f51c13d4191ebf5be25

SHA256
e7367e0d551fbfd53edcb0aa55748c6a7dad59b1123f21e0283040a1b3e7c561

SHA512
4117cd373b43f5bed88a1a0bec7be217a1d7686a8852f20bd5ec57d9ab178b2b70cf3c1b4084c7074178bb995e5a204e1a3f54bcb36a37910927b19dd1cb4401

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC581.tmp.exe

Filesize
78KB

MD5
88e089cf8a4c60524195f94335008986

SHA1
9e99b8202820e5785661d19bfce07c43cadac0df

SHA256
699f7f642590959a1714ddd794672c3869e3fff543263cabb11cefe0274ab765

SHA512
644cffffa793f3e23d44960e8d7aea1b5a791e81b6861691ec96228488c869021bcbed06e1a3b2f73abeabf749032c390ee3ba5bbe741884d66ecff5d3e35584

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC66B.tmp

Filesize
660B

MD5
e63e3b2ebff8eb144a2e51feed8b82ac

SHA1
bd492e7e17171c7b6717c7ebbc0b9659031b0eee

SHA256
6e538c569dd6146ee1a204ea8b9725194f0c4c2065564a26418fcadd0e63dfb9

SHA512
2cc75f230f988e7d9e512b6be49b717d90b4f965ebaac7e3eee062b5fe80ae6aa75343a0fa0725c0025c01161b1a7efb1dd8c715228aba0ce9d50517f40cf148

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2100-0-0x0000000074801000-0x0000000074802000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2100-5-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2100-24-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-8-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-18-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads