metamorpherrat | 5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8

General

Target

5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
Size

78KB
MD5

502095e6926738d218254afa6ba3c390
SHA1

f94a2d8dea7c244f4b1828602b755dff44503eb0
SHA256

5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8
SHA512

e69963ae05d6a21de688702e31b11dfe2d05b1810507b5e6153047fed11ead45e9a3ba6cc1f8de8b7364d564db86a72e80ff59ba1e3c7a1ce12e7f6684a5a8ec
SSDEEP

1536:4tHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtwM9/lm1Xk:4tHs3xSyRxvY3md+dWWZywM9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2252	tmpD0F5.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpD0F5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD0F5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
Token: SeDebugPrivilege	2252	tmpD0F5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2336	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	31
PID 2380 wrote to memory of 2336	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	31
PID 2380 wrote to memory of 2336	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	31
PID 2380 wrote to memory of 2336	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	31
PID 2336 wrote to memory of 2516	2336	vbc.exe	33
PID 2336 wrote to memory of 2516	2336	vbc.exe	33
PID 2336 wrote to memory of 2516	2336	vbc.exe	33
PID 2336 wrote to memory of 2516	2336	vbc.exe	33
PID 2380 wrote to memory of 2252	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	34
PID 2380 wrote to memory of 2252	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	34
PID 2380 wrote to memory of 2252	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	34
PID 2380 wrote to memory of 2252	2380	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	34

C:\Users\Admin\AppData\Local\Temp\5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
"C:\Users\Admin\AppData\Local\Temp\5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o48tlblz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD192.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD191.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD192.tmp

Filesize
1KB

MD5
c89974943cf430fd874a2cd8958fae29

SHA1
d51a829bf22698cac25c9c29d39bdb27bcebfef3

SHA256
c4635bc4648a7f4452b271460fbd1746aa96defa967644402c3e2f7175a913cc

SHA512
7b9de335631e152b5fcd5d24b236cd84d287d4dfab37a6415351a007e0356bbdb123aea0fd6302d45d3969711e2860d884bbf35391777498046f42375dae7b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\o48tlblz.0.vb

Filesize
15KB

MD5
2af01689e421c87ff5bc9ed7eecedf93

SHA1
a22bdee7dc658fac35906ab2622776505546350c

SHA256
12d88ccee13606db229d58b126da9060225551ffac3affeecd6b7a2f4b7612c5

SHA512
faa2b906396b52e039ad36a9b2765e0deb4e983549c22a7e96b33d8bbaf0ec2009d8c50d1ed1c53347d511c09758cfb0091d48030079ca355472c104aed3d747

Download Submit
C:\Users\Admin\AppData\Local\Temp\o48tlblz.cmdline

Filesize
266B

MD5
410c3d13d98ee12205d111e16bc80ff1

SHA1
9ab683140776ffbd2c670b78e209a6a47a7c64bb

SHA256
f5e2acdcb445412c6cbfc8eaeee5d8a11c34e306cd8dc5fc5e36766bfa99ccf5

SHA512
8ef693e8e7f84cada43ce88c0a6edee78e005f6ae34a0ea8f139024cdef00d0228549c020bed3b884ef56e7159138a9a07e574b66097da065079d48572f2938c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe

Filesize
78KB

MD5
b34d0768e9e4b5088528a6b6217a1364

SHA1
c55f3a35eba7468c5c128149d4a97f544a625037

SHA256
520858c753001861a2ab516d75f363edeb2579a1a4ef74da58cf770829d46e5a

SHA512
94efa161c9562b81c965e1fb79559c8cac4b14abcd05c455d05689b2370ab8d538c89b8c64cfa4cb925561125cae4d2add3fbc43184737f3b94b7c61af491a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD191.tmp

Filesize
660B

MD5
d002ca595762fd179c521eb6f52b9898

SHA1
f2a428e5f0f57e74593b97c7396993714e210282

SHA256
16cee14a6d8793938804faf6ea1cd7e4bb2e521f2f1bb44fc1476d20f83a059e

SHA512
8023aa9b9105bb8db0d668a2d49f92ec3cc7f1ae123021dba91d40a7d9025d7f3aff35279dd3eea7073b3bbc658534dc7bd5ade7f31227622aa4252a5deab7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2336-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads