metamorpherrat | 288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc

General

Target

288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
Size

78KB
MD5

f8bb09157694e42a33a50598ba04fb6b
SHA1

0c0ac1cd86a8fa3873f25d8018d4fdfd43563a00
SHA256

288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc
SHA512

e92ddf32c7e3ca4cb0812d8b49c5e3a020aad30ae8fb2d73c2535f990f765afe2595d80b15740a94c827459855a994d4c11335c16d633164cab8e906ced20725
SSDEEP

1536:zhRWV5jLXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96p9/WRa160:lRWV5jLSyRxvY3md+dWWZye9/V

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2676	tmpE540.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	tmpE540.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpE540.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE540.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
Token: SeDebugPrivilege	2676	tmpE540.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1532	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	31
PID 1868 wrote to memory of 1532	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	31
PID 1868 wrote to memory of 1532	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	31
PID 1868 wrote to memory of 1532	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	31
PID 1532 wrote to memory of 3068	1532	vbc.exe	33
PID 1532 wrote to memory of 3068	1532	vbc.exe	33
PID 1532 wrote to memory of 3068	1532	vbc.exe	33
PID 1532 wrote to memory of 3068	1532	vbc.exe	33
PID 1868 wrote to memory of 2676	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	34
PID 1868 wrote to memory of 2676	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	34
PID 1868 wrote to memory of 2676	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	34
PID 1868 wrote to memory of 2676	1868	288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe	34

C:\Users\Admin\AppData\Local\Temp\288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
"C:\Users\Admin\AppData\Local\Temp\288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tjeg6zhr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE63B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE63A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- C:\Users\Admin\AppData\Local\Temp\tmpE540.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE540.tmp.exe" C:\Users\Admin\AppData\Local\Temp\288c043558e21bf8ab3cf3e14803a159675a38611f4ae8c3410b51f26a7ed4dc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE63B.tmp

Filesize
1KB

MD5
f89d41c681ea5532a7619c0f5e0ba281

SHA1
8f69d0b91bd898f6525b30e9c83c50b6009a503e

SHA256
3ec7d0b5aaa093934b7f5333a06c7550c1740f76cd8201e8c1a2b6e604d59a70

SHA512
9ad3a73714e4a97c55dd26c12209a1bdd76f8abe209b82d37247fa5c49abe790465bd9e29daa70ce7625b67f2dfd3cd30f4e20790c6cef8050c77ec330f78792

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjeg6zhr.0.vb

Filesize
14KB

MD5
c47f6683753058bbbe294a0a5ce68485

SHA1
b3362a85fb70c4e05fa21dbfccc6e5fd28190368

SHA256
130ec8dad473e281bf4fbe87f71cd026eca561e651de657439df180960f15e0d

SHA512
a6ca49dd72f9860eec26dc5c37b967586d60cc136f85b9800f772282972adbab779151c039c80170779766b1f2ae0c1cdda58fc8505c39c0bb383686a807f6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjeg6zhr.cmdline

Filesize
266B

MD5
f3918707c8363160c1063e6f241d3936

SHA1
882bf6a89ddebaacee023449e2154c3c55536393

SHA256
d5cda6879be34c8d6b0f3a504bf30aeead8b0f82d5d0fcdb31517929ad40cbd8

SHA512
51f4744e8f839ee3007c7329f771581ea05312dd3cc0efc4b802e49f2eca3a548b30e4a6c693fd1dc181973baf978e676da9c20d1aa8867c1c57dc5d345eb2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE540.tmp.exe

Filesize
78KB

MD5
447978c8558f59ed6dcbe595321ee967

SHA1
6529ce610bd8acf1953541b72059688e636309d9

SHA256
a30f32660e569090b013da842200c68f99aa11b054985272fafea19698a2f29f

SHA512
83e80e348cd82ff8947fa675a057446e786cf93ae05324d24bbc20abf165c90911de5b7eea851789fa927192759ec884af49d1e6635ffe5751979b61b1178edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE63A.tmp

Filesize
660B

MD5
5df204b809ca7b08bb2a26681403b55c

SHA1
d9cfc2df1255e93b2ec87cda2bd9560dc1a12154

SHA256
adebcf4323f6004152e0b9dd188c7248e58691c830431632c17e6c5da17d813b

SHA512
18f8ed0501df33da4a62fb44135ec35269aed45a61e00fa3dff872556e99abfe459731ae8b32b95a721d3ea657eb266ff839abc2d328e429d10bfcf3b41506d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1532-8-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-18-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-0-0x00000000747B1000-0x00000000747B2000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-2-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-24-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads