metamorpherrat | 2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0

General

Target

2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe
Size

78KB
MD5

23b21119a60e8c2ff38814c1b6a5e10a
SHA1

f94a1fe269170fc4d2bce2cbd4b76146853029a6
SHA256

2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0
SHA512

e34141db8f24c41a4c323ef20b4a9c0b54fd678b4f31c447dcffe7e96d1934011209c032b6a6f401ab3369f7e0023f60796f38a19c34a8372211e20e41a48e72
SSDEEP

1536:LhRWV58wXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt9679/k1Y9:dRWV58oSyRxvY3md+dWWZy89/t

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe

Executes dropped EXE 1 IoCs

pid	Process
4828	tmp7956.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp7956.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7956.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe
Token: SeDebugPrivilege	4828	tmp7956.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1884	2384	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe	84
PID 2384 wrote to memory of 1884	2384	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe	84
PID 2384 wrote to memory of 1884	2384	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe	84
PID 1884 wrote to memory of 2820	1884	vbc.exe	86
PID 1884 wrote to memory of 2820	1884	vbc.exe	86
PID 1884 wrote to memory of 2820	1884	vbc.exe	86
PID 2384 wrote to memory of 4828	2384	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe	90
PID 2384 wrote to memory of 4828	2384	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe	90
PID 2384 wrote to memory of 4828	2384	2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe	90

C:\Users\Admin\AppData\Local\Temp\2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe
"C:\Users\Admin\AppData\Local\Temp\2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ld7voccg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6093BDA5B784903B6643E4D31CA3B37.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\tmp7956.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7956.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2523b511291f97d7805de0d8e258f069a08fc27e9adb07310f42f3d3feb58be0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7A7F.tmp

Filesize
1KB

MD5
df5ca865c1960ea239c419a23e3637c2

SHA1
feaf988f1e89e02bfad38e0ef41bc77d3f4a0117

SHA256
4c43f7de64620d416082f061909f217a2d4bbc1d43eedceaed9f14e9a1ed4dee

SHA512
957c9b4c569683cd2304bd92ec98f9d538fd545376c2799bdd3f4d683efd41b8296c78f577c7f39fbf32cad93ff3cd74d416817d91e7a13efc6626961cf26c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ld7voccg.0.vb

Filesize
14KB

MD5
cd8ed3036726d3f3894cb4cd5faffc90

SHA1
6c305eae20f6bcf179628f1a4abed9647ab0ef55

SHA256
935c9ac277cefb36a767cf1d722870952ebb0d1b96c4a4702e4cfd30259f506c

SHA512
3d3cc43c6b6f6fd5958c004329807c21dce73c619c5e3bd03e4ebce146c4b52e0d926859fab96de730f5cef234880626bf4cb1a6fbfe5ac94c7076273c1844f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ld7voccg.cmdline

Filesize
266B

MD5
4bbbe88da27a10a5578ded38605f38dd

SHA1
33d6d6058ff9428ad54f6f2380a7c1ad1dd7cbc8

SHA256
51ec4ac0b7e76f1189b9c7487a6ea94e4752af6d8cab06d99c83dc90fae4a318

SHA512
1a51a109e3f44f51f92b35a7b998a6627d945f4878e8bee368f11b29646a6c711c9b659eabfe78f353d70e1fcf659196b9b9c60dd61c4ae08ff6ad4ce6eb75a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7956.tmp.exe

Filesize
78KB

MD5
0681890ced2446ba5b22984cf58ce174

SHA1
e3246aaec1820fa9b8e982d686af36e79fab902f

SHA256
38d5d7d04ba959fb9f862ac60713a82b1d90132ea3da0859733b0439dfd7a239

SHA512
81ba5d783828fa8e47262becd14a36768a3c7bdddc07a7afb969c34bd33bf866acb10f6d1b4e38fb0ea9a96bf6a02e11bf837ab64da92f24342b0a4acc240a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA6093BDA5B784903B6643E4D31CA3B37.TMP

Filesize
660B

MD5
711c7b3bffc0e95da637315a24680389

SHA1
2868621f2df6e70f157091536ad12dc5cef4a83e

SHA256
a282ea89a153d5f07e7042b2c76e2a6b477692689f07c9638cd70a92efa893d4

SHA512
95142dec0020d4f98283dd714c8520373915146ccf2d038f1808a8f422b20c8665fcf3b2ac7f862e1b0a99c7a957ce58dd039cc787dced022dd3fe8a67033142

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1884-9-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/1884-18-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2384-0-0x0000000075562000-0x0000000075563000-memory.dmp

Filesize
4KB

Download
memory/2384-2-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2384-1-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/2384-22-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4828-24-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4828-23-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4828-25-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4828-27-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4828-28-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4828-30-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4828-29-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download
memory/4828-31-0x0000000075560000-0x0000000075B11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads