metamorpherrat | 8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70

General

Target

8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Size

78KB
MD5

64d6e93324b0895e0b790c167a579393
SHA1

2f4d390f82feb9513e2decbd8b2165340e3a33f0
SHA256

8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70
SHA512

05328cf8d036b879b8e05e99b8347c306e8551ca9dde63b31eb2b1f02190de3308d179f8b46169e7e2489224dee78806d76165b4f5dfbef5a6af43045c96a552
SSDEEP

1536:SRWV5iXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6O9/I1mHd:SRWV5aSyRxvY3md+dWWZyl9/Vd

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2676	tmpE7D0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpE7D0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE7D0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
Token: SeDebugPrivilege	2676	tmpE7D0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2660	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	31
PID 2744 wrote to memory of 2660	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	31
PID 2744 wrote to memory of 2660	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	31
PID 2744 wrote to memory of 2660	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	31
PID 2660 wrote to memory of 2788	2660	vbc.exe	33
PID 2660 wrote to memory of 2788	2660	vbc.exe	33
PID 2660 wrote to memory of 2788	2660	vbc.exe	33
PID 2660 wrote to memory of 2788	2660	vbc.exe	33
PID 2744 wrote to memory of 2676	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	34
PID 2744 wrote to memory of 2676	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	34
PID 2744 wrote to memory of 2676	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	34
PID 2744 wrote to memory of 2676	2744	8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe	34

C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
"C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d6b39ww9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8E8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b63e60f1cbeb371512c3e6ea157157124958210508eb3fd5ea794719f2ead70.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE8F9.tmp

Filesize
1KB

MD5
edbd075dde2a4eb44c4fc6f52e426b1b

SHA1
2d09e9df610060a59702fdede28ba38c0d9b4b92

SHA256
3c72477ae6953355f01470202e232ec74fc1f559d3cd6dfa01319892f100f9ed

SHA512
0abd8c73f438a7d18b368c6201fd484c7a4e92056b35d6b3a55ec691c49a36875082b447c0634816307dc70fc3002ef374d3697d77a66d0a9d221a0876756578

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6b39ww9.0.vb

Filesize
14KB

MD5
de647232052679e0dc63feb6a2ef5808

SHA1
c64edba5680ce43466ee11ade815f05cf66350db

SHA256
7482c923f6bc713d389d7e33636b2e6e6a552962c3997d3af5525d6843637d41

SHA512
d0b4e235d83cabac7113fe3d4fcd972d84479d484cc0e2cf96ff77695754c36c201946d681c28226e500ece88739c3dd9445644101d4ec1929fb3b441e0247e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6b39ww9.cmdline

Filesize
266B

MD5
322cde96c66d64e0fa8651c5a4491583

SHA1
1aa49c922239bd65617066fbe72968be6150c742

SHA256
72cdb5c0919133f1ef0da0124045a32357123bd45d2763fefa050cd506c5d8e4

SHA512
b5b5917582ef87ce24f30267d0575e0dba60afa9eeb61aca377d13b8b61764e10885fa0f5db257e647ca50af16d9cf186e8379c1e85813409a57129ceaf6727b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe

Filesize
78KB

MD5
7e9a2687c042856bef08f960c97d6ea9

SHA1
30a016fcbf962e4e1673721259cf768705daf2cb

SHA256
7684c433a74d6ac3c0fa062c88264c01306cd0916e733a721c6dbc517c34d6e8

SHA512
01b34be7ff8670b76d40e354ba18fd858a844ea8570af9c66297e20ea1e0a9cb3759ba869d500d98f58549e69d9f2ee891106aed06bdf1b035ca4bb47232edfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE8E8.tmp

Filesize
660B

MD5
b302d62d43d996b7d82cb7f58bcae392

SHA1
c07717723f70117bd89db4ca14592aa3f8d4027e

SHA256
54b381c18fc9128636cb4a6c0d155971089bf40fe489c772899060f34cd12c69

SHA512
5054c8bc1300570016fcae5ef9ce1908d0889025e513e72a302dba06e140661fdd4d4ddff37ffe9c35d21971da2aa8c94d26642f22071fe2ea8542c122a11281

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2660-8-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-18-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

Filesize
4KB

Download
memory/2744-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-2-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-24-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads