metamorpherrat | 79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3

General

Target

79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
Size

78KB
MD5

338ac0cb49828be98b61335242bb79dc
SHA1

d9f6daa5a82eca26ff64d20428c693384cb90036
SHA256

79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3
SHA512

1f33e8b5f90d15436e8b6a7542ca8bc14e7cef9db8ecf0c591b0f4092d608e3e9dc27b2f39eb6fcdf8616a9f9d4f4d8eb63721d658a1c19d4445926e8aa63eb1
SSDEEP

1536:shRWV5j3XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96159/eG1HQ:wRWV5jnSyRxvY3md+dWWZyG59/Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2896	tmp7629.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	tmp7629.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp7629.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7629.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
Token: SeDebugPrivilege	2896	tmp7629.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2780	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	30
PID 2716 wrote to memory of 2780	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	30
PID 2716 wrote to memory of 2780	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	30
PID 2716 wrote to memory of 2780	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	30
PID 2780 wrote to memory of 2840	2780	vbc.exe	32
PID 2780 wrote to memory of 2840	2780	vbc.exe	32
PID 2780 wrote to memory of 2840	2780	vbc.exe	32
PID 2780 wrote to memory of 2840	2780	vbc.exe	32
PID 2716 wrote to memory of 2896	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	33
PID 2716 wrote to memory of 2896	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	33
PID 2716 wrote to memory of 2896	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	33
PID 2716 wrote to memory of 2896	2716	79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe	33

C:\Users\Admin\AppData\Local\Temp\79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
"C:\Users\Admin\AppData\Local\Temp\79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vqsw_2ug.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7714.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7713.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- C:\Users\Admin\AppData\Local\Temp\tmp7629.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7629.tmp.exe" C:\Users\Admin\AppData\Local\Temp\79c73037e0229bba52fc34e038d884e4af315b2082bab5665faf18dbc02b02d3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7714.tmp

Filesize
1KB

MD5
c6025716eb08dfa2f7db834ecb5273a5

SHA1
2b7b66d7efa839f9e4ea0b610995cef0affea96e

SHA256
10ad21e3feaf46de83b03ca5368d3afa5c9e824cd7f6be6bb612a9558712e24f

SHA512
eb867b2a2f9cde5a1008f860bce49873913ca6843ecebe307bc447363f8889390b9e9140c3ebdc51f57b05f341c3260b63d4184decbaac1b5d901fc705938a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7629.tmp.exe

Filesize
78KB

MD5
72554c86d0d09ebc344ddbdf41497bc8

SHA1
3671570fe89c31d8e9892121391ef83e681b3973

SHA256
dd06cb504a25bcac427a7bb724d3e757b96abae3f260f00fba68b6c8fc02aaad

SHA512
d13327bf13e0fbd3cf1345beb100a04483c4fc0e9521d7aa342df73fc775e9352ba3dc60c121d4f56ed45d7306fc0ed81bbc44fe07312b84ea98cfeb12a55a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7713.tmp

Filesize
660B

MD5
e83ecb6e1f7334bd01d8941f07afd6a9

SHA1
d41de45e1346ecf5926dbc2e53248fed080bf24c

SHA256
8197a6ca4d1d0cd485f94cfe9ca56745a8be64997612f177f8438d09a611944e

SHA512
33811c2ff36e3bb22381e31ff6e9d7918ff586a56e93a80cb397833211e6853501e89063005142618a80304b63552f2ca1fd7ede8bb77d90b88256bde2f3e510

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqsw_2ug.0.vb

Filesize
14KB

MD5
7acd5ff2e2daa9bcc9100d850f277377

SHA1
258cdf45538230ce67fd9d6e640c2e550d760769

SHA256
e45f493cb0ac323ba57f71c2b53164c9e4aa62b3c1e84dc71a850580e226d622

SHA512
c9b871d288b54d6f05167c091076b2ed248afa24ad08fd72adebe37f0e301d0c24cb37e646d48a94a4ca17ae9f197f93dd1803ca5102d0372caff491584bb004

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqsw_2ug.cmdline

Filesize
266B

MD5
e0f1994d85bbc8a22aadac0afc1fffe5

SHA1
1bb40e89450322b3f5bab331cb1c0f2408216616

SHA256
a491bc36bbf03c7a07deee0ededf524d033041f18fb02fc5f31f0abddf65064c

SHA512
fc672ff9474e2a5b03fbc09c8cb3151bd5132f47e3e106c0e349daff75b00d15521c7052a7eb39b88008b7439a7ce2ebdf5661138ee6386e15b11c3b05b9ea75

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2716-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-23-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-8-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-18-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads