metamorpherrat | 56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33

General

Target

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
Size

78KB
MD5

f9a7c2754411a77459e56eb5838ffb70
SHA1

63a5c229b112ef10c97a0780685fcde32f82cf22
SHA256

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33
SHA512

d2a8eb6eb8b02df177375f61f5ddf60fdd6362068e9d511dfef60be48191f1a310c33605178f907eec991bab01438c1d09d31f6af78d784560a05ba1da456bbc
SSDEEP

1536:VHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtA9/u1iJ:VHFon3xSyRxvY3md+dWWZyA9/d

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpD421.tmp.exe

pid process

2864 tmpD421.tmp.exe

pid	process
2864	tmpD421.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe

pid	process
576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpD421.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpD421.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exetmpD421.tmp.exe56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD421.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exetmpD421.tmp.exe

description	pid	process
Token: SeDebugPrivilege	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
Token: SeDebugPrivilege	2864	tmpD421.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exevbc.exe

description	pid	process	target process
PID 576 wrote to memory of 2260	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	vbc.exe
PID 576 wrote to memory of 2260	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	vbc.exe
PID 576 wrote to memory of 2260	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	vbc.exe
PID 576 wrote to memory of 2260	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	vbc.exe
PID 2260 wrote to memory of 2972	2260	vbc.exe	cvtres.exe
PID 2260 wrote to memory of 2972	2260	vbc.exe	cvtres.exe
PID 2260 wrote to memory of 2972	2260	vbc.exe	cvtres.exe
PID 2260 wrote to memory of 2972	2260	vbc.exe	cvtres.exe
PID 576 wrote to memory of 2864	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	tmpD421.tmp.exe
PID 576 wrote to memory of 2864	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	tmpD421.tmp.exe
PID 576 wrote to memory of 2864	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	tmpD421.tmp.exe
PID 576 wrote to memory of 2864	576	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	tmpD421.tmp.exe

C:\Users\Admin\AppData\Local\Temp\56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
"C:\Users\Admin\AppData\Local\Temp\56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ewqnu009.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD70F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD70E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- C:\Users\Admin\AppData\Local\Temp\tmpD421.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD421.tmp.exe" C:\Users\Admin\AppData\Local\Temp\56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD70F.tmp

Filesize
1KB

MD5
42008172ac8cb161dc1606fc14382d08

SHA1
6eb597cb7a62fcb6941605cd283f1eb92ece7c52

SHA256
36d4b016b3bf940bd5a8a2752a0f0566afde6409d3bc1273949626266e342a38

SHA512
53aa6f1d77611baa2aab9940f3d029d89e44e8b4fa2daa0b7cb3d40b5e95b7b11024bb734bbccd1f68eb3203fbb7547467671c6d7d746829c4f14ee29c98576b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewqnu009.0.vb

Filesize
15KB

MD5
c6d016193b91ccf5d55d088aed1a01d8

SHA1
90f9abe0170d9483878127c0e97a34ac97b46f59

SHA256
fcad086966edd7924a1887bbf823db8c78b608110c2761749f6e6bcf6f6400d1

SHA512
f98249c4e8f8475767f8e96c7d7bbb6d2eb06a7990315ac2843b1b2172a4ee08d4f305f4441e30c0ffc2a81dcd00021350758b9309eb94e5c995b5fd47d29a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewqnu009.cmdline

Filesize
266B

MD5
d3aa40ca95bc497308c3fbeeff3c1eb6

SHA1
c48c4c0f8052c33d9546c6f652cb25512a913044

SHA256
6ff8266c5c030b27d29fdfa369fc4206862b4d026c696898085f753d35990dc1

SHA512
99257fb1e61fcf2ff208cdcca874bbb369609e51b7bcb5ddb98b4674bae00c367ddf71f3602ecd3071afde0977600688d1d4f49f73564a5d3f8ad7830c90149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD421.tmp.exe

Filesize
78KB

MD5
87518f91113e8083b5f24af10d6c2a11

SHA1
be26d9615b9132e270d0e6e8bc9a4a4d857380fd

SHA256
2c120751cd15bb01c3404f2282b9d5a1ac0d43b5232f9aaf02138493af830aef

SHA512
0730325d26c4636927b22df48cff883150d55275e1c0f4f0bc88bc07a5cd0e678c949956f75169503a47cb8ec94e378a93690be44720716870620eef8f0a3726

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD70E.tmp

Filesize
660B

MD5
d54a424129702321bb90e7453c729798

SHA1
7482ad1debe6e77ee8341470bb61033f8acfee0e

SHA256
55c7fecb4b5f18b9e8290cc36d65756b16d8fb87cd0e6ef85295fb13013939fa

SHA512
7b45aa4f8642a01e0159576d7a08a7dce8c54fa3f846a1671d80f19caacfd96c406be5b09f4300aaddb0b62ff0604d6fe76f9084199ebbd6c63371645fa20809

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/576-0-0x0000000074E81000-0x0000000074E82000-memory.dmp

Filesize
4KB

Download
memory/576-1-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/576-2-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/576-24-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-8-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-18-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads