metamorpherrat | 2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975

General

Target

2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe
Size

78KB
MD5

136e506423afd829567b101ee68ca17a
SHA1

a2275a53b90dd82dd9247577e6ce9cacdb329aef
SHA256

2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975
SHA512

0a2ff44d5523a3fb93aaf79b33410630d0de6b13247066093e721e89d27c8576eead4bec96650b0bd035218db7070b7aae8e811c71889dcdc6d09725472fda63
SSDEEP

1536:vWV5jSJXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN609/Bs1T/5:vWV5jS5SyRxvY3md+dWWZyf9/w5

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2472	tmp9CBC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe
1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9CBC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9CBC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe
Token: SeDebugPrivilege	2472	tmp9CBC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2316	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe	30
PID 1944 wrote to memory of 2316	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe	30
PID 1944 wrote to memory of 2316	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe	30
PID 1944 wrote to memory of 2316	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe	30
PID 2316 wrote to memory of 2240	2316	vbc.exe	32
PID 2316 wrote to memory of 2240	2316	vbc.exe	32
PID 2316 wrote to memory of 2240	2316	vbc.exe	32
PID 2316 wrote to memory of 2240	2316	vbc.exe	32
PID 1944 wrote to memory of 2472	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe	33
PID 1944 wrote to memory of 2472	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe	33
PID 1944 wrote to memory of 2472	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe	33
PID 1944 wrote to memory of 2472	1944	2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe	33

C:\Users\Admin\AppData\Local\Temp\2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe
"C:\Users\Admin\AppData\Local\Temp\2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7d1jl2og.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D77.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\tmp9CBC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9CBC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2410539d671a2b7a2e0ae11a375456d2ef70785ec453d9534f320a0710e99975.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7d1jl2og.0.vb

Filesize
14KB

MD5
59b57924d7ece925454d035a88ece0c4

SHA1
a29865e4608c72274518893d4489a13ab335bbab

SHA256
2ada082a712c6e2615a40b1c661470218a3bef736e9d8a56d0efe8a62a012d89

SHA512
4b32720c066ce457df26eec5bec925c12bd4faa9ed40b8203218d5992bc4cedc02aac3900a0c57632ac91a4e3b68f9c48bfcc28e3fa665c106a6b30848eb14c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d1jl2og.cmdline

Filesize
266B

MD5
df6c610dab84c4a7c09ebb77984310d9

SHA1
1ad98f4fbe4cbf0783fcc4247991adeb50e0c9d3

SHA256
33b9f0af9b5aeb6166bcf7244688fb5ee1a970386fd21ba062a5f27f95ee0eec

SHA512
ebb33a549888aec4d629c92801465e778a7177746ba8a8e78dc0f9e7315fe3d30922234bb46f450729947bef8d62e9367cbc9df7b10e67d871b22a60ada6e9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D78.tmp

Filesize
1KB

MD5
c024098115f3fcc28244ed8848e6e704

SHA1
ea4a0905cfee43d494a0bff481f77049444f60a8

SHA256
42bb681c16d1f5f9c359829290a84e9c2cdb7d2c7ca0cbbf43ea77b6dca343f4

SHA512
96cc058728a9de3609424c9e438775f70f3714af864bd75d882bb2b9324fa5fb151cddcb49b136826b0ec557215e633850361e42dbe39b866d825913cee1c303

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CBC.tmp.exe

Filesize
78KB

MD5
a1c4be01b7a073e5aea1ccda1d313a60

SHA1
f1451a57d995c8c543d9001faf1f7b1968aa7053

SHA256
8edeb5d08d8295664f0216d3a2f02ff61ca18405af24b98c6aa603946a05c017

SHA512
d62f4ed5b880dfe8312292bd53ff26e4cce765cc6660bcf5d9643226d46a040ee285e680b11ad2dfc9199f49a1bc1b3a2bd28a7be47bd74e2ab56de395c8a9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9D77.tmp

Filesize
660B

MD5
374aeb91182a97abc226b9b67d0e4411

SHA1
5809265231c6f2223efaa4ee3de4e97f4ca09258

SHA256
b488949d2e67ee27e8741cc667ec670426e7319b1cae6802ada4a26f3e7fb652

SHA512
0a4cc087091ca10a1153923969b0e6a6cec5ed4f805db1c7a16843a37215855ca92379c3fcdf45c27578b0bd5defdafcec73b721de2d61f0c4ca46faa1d9f6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1944-0-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

Filesize
4KB

Download
memory/1944-1-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-2-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-24-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-8-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-18-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads