metamorpherrat | 5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8

General

Target

5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
Size

78KB
MD5

502095e6926738d218254afa6ba3c390
SHA1

f94a2d8dea7c244f4b1828602b755dff44503eb0
SHA256

5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8
SHA512

e69963ae05d6a21de688702e31b11dfe2d05b1810507b5e6153047fed11ead45e9a3ba6cc1f8de8b7364d564db86a72e80ff59ba1e3c7a1ce12e7f6684a5a8ec
SSDEEP

1536:4tHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtwM9/lm1Xk:4tHs3xSyRxvY3md+dWWZywM9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	tmp89C1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp89C1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp89C1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
Token: SeDebugPrivilege	4912	tmp89C1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 5024	2208	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	82
PID 2208 wrote to memory of 5024	2208	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	82
PID 2208 wrote to memory of 5024	2208	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	82
PID 5024 wrote to memory of 5060	5024	vbc.exe	84
PID 5024 wrote to memory of 5060	5024	vbc.exe	84
PID 5024 wrote to memory of 5060	5024	vbc.exe	84
PID 2208 wrote to memory of 4912	2208	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	85
PID 2208 wrote to memory of 4912	2208	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	85
PID 2208 wrote to memory of 4912	2208	5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe	85

C:\Users\Admin\AppData\Local\Temp\5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
"C:\Users\Admin\AppData\Local\Temp\5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vmhicdwn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F031AE86CB04CF590A16116C6FC87D8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
- C:\Users\Admin\AppData\Local\Temp\tmp89C1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp89C1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5b23fdcaead620e89be075a2f8c963b499cecf02e0ef6afb27c9adb5d73f0dc8N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp

Filesize
1KB

MD5
ca0f189b9a3f82a6f6bcab09f36e0519

SHA1
997af6571e2d500e8f283c990d05d02c5d0e3dc0

SHA256
3f23cf645e7bd995012839f3341ac38cb5f803549a68f23a2d5d138e7cf87dd8

SHA512
7a2691825cb1fed9813a29bc7290059eb50061568c41730c836d9a22fca7a566d840bce193c89ef5dae70735949a714538ede234b8e9a9752785d995ececa680

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89C1.tmp.exe

Filesize
78KB

MD5
3b70c5e2eb79f88528ec87ef33d72759

SHA1
0d25bc23193f4b8377a40e21fc669d491b36a074

SHA256
f35413ff4b02801bd1415c76fd99cab314a1cf6942eb05bfc4fa56411d169832

SHA512
475160f0770410f9ced75161ba9b9afa41317defc4f6ad24378080c2c01f1fee9c36cbc3473d71ea967757c4a882694c8131e1c950b82c229f98429a039bdbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5F031AE86CB04CF590A16116C6FC87D8.TMP

Filesize
660B

MD5
4b162bff4755a64c3bbb2bf56b37b1a6

SHA1
2d5ab7f4d4a4fd4e6261893d20d3a43785fc3b70

SHA256
0d3c26eb42dea7d588c7140664f653cfc95c51b9271f08a1ac92ec9e3be6b97b

SHA512
50a15b5b8f06f149d5739f928793e0b3d0027740ea49502fc8bed81b25ccfd4e20e9c320dd8ab66f096eba23972aa801f909ddbded5830beb80d0605de389bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmhicdwn.0.vb

Filesize
15KB

MD5
6c27238dec1458544bf83dbbd1861412

SHA1
771a0048001726919f507a7826c7bee323cf40ab

SHA256
bc41d8b52f9dc90163f21bfc3b0ef78e910bb8f9aa85ebe257bd5f2dfe8de264

SHA512
036003b58a73eda44b2889806997b635edd1b527d05ce4019fc8308bf3369412ae67b3d027b8d67331d224456ef627c9e3acc835fcb81792b03a60405799860a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmhicdwn.cmdline

Filesize
266B

MD5
3e452daede2bd16da265ff1bba085a7b

SHA1
26dfc37ec69e2708d6792fc58b749f4b594b099a

SHA256
683a32d19061d6d901df435851f4012db92ca92fbda3021b82a33226a771ecc8

SHA512
6e79cc3983105f06f42439bc032cde87205f192bbddc4ebdc7db218dc939ad70195cf242044554009c046bf89f86e3f96e680228c961d65a9cbb6537fe8d58e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2208-1-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/2208-2-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/2208-0-0x0000000075292000-0x0000000075293000-memory.dmp

Filesize
4KB

Download
memory/2208-23-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4912-22-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4912-24-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4912-26-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4912-27-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4912-28-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4912-29-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4912-30-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/5024-9-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/5024-18-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads