metamorpherrat | 852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532b

General

Target

852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
Size

78KB
MD5

b742de9bc496dd534ff7c724b89d60e0
SHA1

01d90fccfe45eb41f4320b7bee05c4607b0881b8
SHA256

852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532b
SHA512

277b505a44ae2f4ae6db9a50ff88087656ca6afe65bd1841bf3e83d7e7ec15c486e4cbdc2daadc4e4a2c45fa86913e512585c85f82f6ea4bcdbe6510f6e43edb
SSDEEP

1536:VHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtv9/wW1u+:VHYn3xSyRxvY3md+dWWZyv9/wO

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2280	tmpB77D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB77D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB77D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
Token: SeDebugPrivilege	2280	tmpB77D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2724	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	30
PID 2076 wrote to memory of 2724	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	30
PID 2076 wrote to memory of 2724	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	30
PID 2076 wrote to memory of 2724	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	30
PID 2724 wrote to memory of 2148	2724	vbc.exe	32
PID 2724 wrote to memory of 2148	2724	vbc.exe	32
PID 2724 wrote to memory of 2148	2724	vbc.exe	32
PID 2724 wrote to memory of 2148	2724	vbc.exe	32
PID 2076 wrote to memory of 2280	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	33
PID 2076 wrote to memory of 2280	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	33
PID 2076 wrote to memory of 2280	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	33
PID 2076 wrote to memory of 2280	2076	852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe	33

C:\Users\Admin\AppData\Local\Temp\852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
"C:\Users\Admin\AppData\Local\Temp\852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zbhp9eyf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAE7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAE6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\852d540647024f1aad414aa4a0e9cf041ef24efc7702ff4f770389cba77a532bN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBAE7.tmp

Filesize
1KB

MD5
af91e971644e7b34757b1735c6e58e2c

SHA1
6d2c1f3a47f54f1387efad9ba05b80704b7f755c

SHA256
b84f1bfcd1f2345fbc6bfd6575b2be07416db015df7492f14381156dbe58408c

SHA512
8b0dd02b8af4cd49923481e6ebbea398c7d221b8d1ed70c67ac6a843c770e041ae59c174c7dfbe4fe833c35e993d382f2852085f6f73494972721fe9f32df826

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe

Filesize
78KB

MD5
4cf2f36101743d897b2167da67394433

SHA1
53268943c100bd34a3bb4de82534815229879535

SHA256
4fad33acf269e07c627eb0d09749602aaf603a169a842a5ab256c5067dfc1906

SHA512
95b346f59d757f542fcf5cdfdf35b8ad000cad946fc556210de765cd258edb53dfb80caa66cde96b6e0cdf15bb1e4a4ef8ee16e18753eea242d19a9ad14f377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBAE6.tmp

Filesize
660B

MD5
fc0fce039dd9b02e635cd63caaeb267f

SHA1
7c31cc180a7f8a37479f52764c4f5328be303f65

SHA256
e7a52a15a201a1005762ae2addeb05dbcd44937679f1270682d1cea773286ce7

SHA512
7d02989efb9fabc9bbf5d765329fdffe8a0b6afccfb04f732e89587dad27a78d2169baa53a12c0a7823d2f79a78c83d3913a8aea37e701208d3aa2afbbe7ae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbhp9eyf.0.vb

Filesize
15KB

MD5
1d42460c504551cc5ff3d04d0c8ccb2f

SHA1
8b953356c8b63b1302c541b23ccf64ec7cb3297e

SHA256
ee86f8739127e6963e5f42838df607c357fc861ccdbd99554068d65267aa37a0

SHA512
f0fa8c5f0143456a3d094f41782cd225b39aeb88663a240d257197f1b9be1a0ac7820bb15b8cb59a5178d4ed6a712f5c117a9571f9169bab1d902b98b41d85ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbhp9eyf.cmdline

Filesize
266B

MD5
6309d182825d447510a6a2a6a3dea879

SHA1
326406084a7fadf9d06e0d86dcb87795fcb3c8d3

SHA256
9efa230025e1d66cbb001751efb54eafaf68379b5b86b1dfb3fd83ed5b10532d

SHA512
e5be828af5f67ce41174456a5d5b183e2a26dc3dceadbd174ae8d2ba257c485789285c936af2cc9aa788f6464eea9c587ee52f7877656cfeca9a3a1ff327bb12

Download Submit
memory/2076-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads