metamorpherrat | 5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cb

General

Target

5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
Size

78KB
MD5

9f17193c6326afe2ced78c8b6fbb21b0
SHA1

7559c156ee45c17360a1865ddc51e2c3111a8f6c
SHA256

5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cb
SHA512

b269f7480094477f7c783d57d1ca5476bf58dec7af64783bbac0de16ffd6601153d09f70d2162c6e73adaaddb748da6dea23d614d84f15bca8ddb15f905e8b8b
SSDEEP

1536:NuHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQte79/X1zr:NuHs3xSyRxvY3md+dWWZye79/1

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1084	tmp8A93.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8A93.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8A93.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
Token: SeDebugPrivilege	1084	tmp8A93.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2576	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	30
PID 1528 wrote to memory of 2576	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	30
PID 1528 wrote to memory of 2576	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	30
PID 1528 wrote to memory of 2576	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	30
PID 2576 wrote to memory of 2128	2576	vbc.exe	32
PID 2576 wrote to memory of 2128	2576	vbc.exe	32
PID 2576 wrote to memory of 2128	2576	vbc.exe	32
PID 2576 wrote to memory of 2128	2576	vbc.exe	32
PID 1528 wrote to memory of 1084	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	33
PID 1528 wrote to memory of 1084	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	33
PID 1528 wrote to memory of 1084	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	33
PID 1528 wrote to memory of 1084	1528	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	33

C:\Users\Admin\AppData\Local\Temp\5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
"C:\Users\Admin\AppData\Local\Temp\5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c9edryfa.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8BDB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8BDC.tmp

Filesize
1KB

MD5
c4c3720b03c260a0cd907fc631bfebf1

SHA1
55f0ec4657ab1db964d55e58d6436a9b4b4995b7

SHA256
beade25ea98c2f2350bafc6374f89579efff139ddcdd0deaefee78ec085be814

SHA512
dac04b0112971947345d0744cdd946c845ec20f3ef4ef4659f4b6d205929e0fc518faf9f1d24e7da226a38c2d7e78244a689ba16620e988b1dc930de962122b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9edryfa.0.vb

Filesize
15KB

MD5
c8029a2ecab58a7f063992154ea2e01b

SHA1
90b989953a43bc3d77f65a13939ba5aaddaecced

SHA256
1f15987deb60d993eab4b7434bc55a411837f9b983d531ac8ad6ad012e05fcf3

SHA512
d319a345cc6373d25befcc7c70620336287f49b35bd86acf2efbd5b1fdd118a507cdbe4558a78c16da7663a3490a1ccb457b6d790a7f7752cdb06ce4a47a6a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9edryfa.cmdline

Filesize
266B

MD5
6a6042aaeb60f71153a46d40e7b7bfac

SHA1
99db8496013f5e5f81feaf950a1cb99520b1c9d8

SHA256
f039dc7c266fc344fff54a48b8dbf093ad1c00f718bc44c1c08b0771ee79364b

SHA512
2267654722697d0db2462ff2ce9669b4baf454de57d34db8acc948114c338a0cfc7b391dc02fc50df3ec8acf15f1a653dd6798463a4302b10c49b37848591e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe

Filesize
78KB

MD5
7a383abf458fe221b2e4464b5d36d36d

SHA1
5b6398ef8d9dd8492db40e60621badf794e907a9

SHA256
fb01d3b516a23a961c5e4e82d767aef878bd7da4aaa9e1863a22143135c2c1be

SHA512
5814042e466d4d369eadc5c9071d4fe75ee01014961c99e139544bf61acdd4f0000860e17f12f25359a16ad4dda938ab3c15f8b0461ecf2e6e6e7b674371c241

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8BDB.tmp

Filesize
660B

MD5
96a073bfe00dc80b9f53b673f8bd2b65

SHA1
42a89902e027c6bbf12258f5914158cf8270a2da

SHA256
465eba3cdece278067438416bfa8b60c988d2e9bb8caac2baf95414f9dea1f19

SHA512
77e3b0b4829227bd755236ed2383455c8befe2f530a5a99553f57357cbaa6a53f2824da84663061eeb8be406d218b897f8cd703a78f10eb73f2cd8efc9d4b605

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1528-0-0x0000000074091000-0x0000000074092000-memory.dmp

Filesize
4KB

Download
memory/1528-1-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-2-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-24-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-8-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-18-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads