metamorpherrat | 56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33

General

Target

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
Size

78KB
MD5

f9a7c2754411a77459e56eb5838ffb70
SHA1

63a5c229b112ef10c97a0780685fcde32f82cf22
SHA256

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33
SHA512

d2a8eb6eb8b02df177375f61f5ddf60fdd6362068e9d511dfef60be48191f1a310c33605178f907eec991bab01438c1d09d31f6af78d784560a05ba1da456bbc
SSDEEP

1536:VHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtA9/u1iJ:VHFon3xSyRxvY3md+dWWZyA9/d

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp8656.tmp.exe

pid process

1440 tmp8656.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
1440	tmp8656.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp8656.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8656.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exevbc.execvtres.exetmp8656.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8656.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exetmp8656.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3528	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
Token: SeDebugPrivilege	1440	tmp8656.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exevbc.exe

description	pid	process	target process
PID 3528 wrote to memory of 3628	3528	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	vbc.exe
PID 3528 wrote to memory of 3628	3528	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	vbc.exe
PID 3528 wrote to memory of 3628	3528	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	vbc.exe
PID 3628 wrote to memory of 4756	3628	vbc.exe	cvtres.exe
PID 3628 wrote to memory of 4756	3628	vbc.exe	cvtres.exe
PID 3628 wrote to memory of 4756	3628	vbc.exe	cvtres.exe
PID 3528 wrote to memory of 1440	3528	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	tmp8656.tmp.exe
PID 3528 wrote to memory of 1440	3528	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	tmp8656.tmp.exe
PID 3528 wrote to memory of 1440	3528	56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe	tmp8656.tmp.exe

C:\Users\Admin\AppData\Local\Temp\56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
"C:\Users\Admin\AppData\Local\Temp\56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ncgxp0a7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BD4A9C754EB48958059876F22A710D1.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4756
- C:\Users\Admin\AppData\Local\Temp\tmp8656.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8656.tmp.exe" C:\Users\Admin\AppData\Local\Temp\56e02c3777bdc684c96cc50899f2fe1ba599cd0a6b703a80d47d5d42edf44c33N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES88A8.tmp

Filesize
1KB

MD5
8bd46b8e09ed37d12de416a3f8503438

SHA1
2bbc3c801594cb23416cb33bfe25d87bcc9a2b33

SHA256
bb86918c4a433d5a5623d734920f6331d1c0a49c3beb373efc08456db46b1aa9

SHA512
753f64c1d655fa529554d948d939f9631864f8cba303262e754e87da098e5e3593469016a10892abc7b3f80c041e039a95e050a323a1bac692f778942fe09489

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncgxp0a7.0.vb

Filesize
15KB

MD5
e7206aa3d1a2c877e0e156d403e584a2

SHA1
9a93481714b0dd6f67d70fbc2ba425cedf6abde6

SHA256
f17b131a48487dd8a9b63fe261fa6ede4ddbaf9df01295a95082270085745663

SHA512
a03512ab575e8b98beb8e0d605d5ca46aae7d52f736b4f7bfbd2ae5d3d63966f0792b7d19f1b35801dc1c787822987ca016514f7cdb89e6ddcbd10eae20e958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncgxp0a7.cmdline

Filesize
266B

MD5
e24825e1cc0bb925c04f70bf0d69ed9a

SHA1
42fe44463b3dc470826e49947e366b56893fa359

SHA256
0920d5559f221be8ce10bf9f8e5593c3f28d11a3cf311c3e827394de2768e474

SHA512
25a0385b3e61b5eeb1bc3e02ff1a2190bdef7011e7e42184079450fdc57542797ab77c7d59d5939c3f400c2234098cba2edacc87bfb925bed5949731fe071d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8656.tmp.exe

Filesize
78KB

MD5
f0b13ad68edffeaf5ea6c4fe882bfcfb

SHA1
636f54d5c41a0581d4d31b17b0c30d1c7884e4aa

SHA256
32b910bc7c4d29930abb0862fead3a6751ebe322151f134a1079141c2a140611

SHA512
742838374aebf6def69afafd1c8f0000df7cf4bcd280cb925151896ffdf7b692aa3f52513ef437748696c7c82fe8c6037f9c80476a4969473ec2ab5e34aae6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2BD4A9C754EB48958059876F22A710D1.TMP

Filesize
660B

MD5
ae890ca5fd2bf0caf1d7efbc3a36975e

SHA1
ac7791d25fff7a9c9a70b7dd38abbb9bdbab7799

SHA256
83e110f146f9493ccbbf36fb684b65d02aedbee715627efbf3ce16702ee655f8

SHA512
2f3debf0f9137af9419e78042f803796908b3eef642e497cd7dc7022a367a10b1cc223152a7b2b5a4ab78ca8edaae4582e1da1323d02938b607b2e1f21be26e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1440-23-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1440-30-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1440-24-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1440-26-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1440-27-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1440-28-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1440-29-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/3528-1-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/3528-22-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/3528-0-0x0000000074FA2000-0x0000000074FA3000-memory.dmp

Filesize
4KB

Download
memory/3528-2-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/3628-9-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/3628-18-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads