metamorpherrat | 5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cb

General

Target

5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
Size

78KB
MD5

9f17193c6326afe2ced78c8b6fbb21b0
SHA1

7559c156ee45c17360a1865ddc51e2c3111a8f6c
SHA256

5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cb
SHA512

b269f7480094477f7c783d57d1ca5476bf58dec7af64783bbac0de16ffd6601153d09f70d2162c6e73adaaddb748da6dea23d614d84f15bca8ddb15f905e8b8b
SSDEEP

1536:NuHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQte79/X1zr:NuHs3xSyRxvY3md+dWWZye79/1

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe

Executes dropped EXE 1 IoCs

pid	Process
4016	tmp29AE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp29AE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp29AE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
Token: SeDebugPrivilege	4016	tmp29AE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3164	3064	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	82
PID 3064 wrote to memory of 3164	3064	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	82
PID 3064 wrote to memory of 3164	3064	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	82
PID 3164 wrote to memory of 1988	3164	vbc.exe	84
PID 3164 wrote to memory of 1988	3164	vbc.exe	84
PID 3164 wrote to memory of 1988	3164	vbc.exe	84
PID 3064 wrote to memory of 4016	3064	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	85
PID 3064 wrote to memory of 4016	3064	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	85
PID 3064 wrote to memory of 4016	3064	5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe	85

C:\Users\Admin\AppData\Local\Temp\5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
"C:\Users\Admin\AppData\Local\Temp\5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l5cfo31k.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2359F81DBC8E4684B8F9542E55807051.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- C:\Users\Admin\AppData\Local\Temp\tmp29AE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp29AE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5856530d63d48748dfae9c70c9617b703a7f4237d6610c0973c38c4cb74a97cbN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2A98.tmp

Filesize
1KB

MD5
4b3f9321a8cb9e4a5bfa0cca4a21793b

SHA1
0f76fd9bb9a416a21f4f995e15b3ba39364619a4

SHA256
d4dddeb91df4bea61fe707605c6c744ced1cf3e912c634ff67eeeee7bde9bb08

SHA512
897bffecd5e76e9478c20e1b608893480566935d6e53ad3b01893d844805578cad8b741be64fc0d1d15f0313e153d4afaebf78f45a567f8aa758b2406cc70bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5cfo31k.0.vb

Filesize
15KB

MD5
2edd55e5eff15c4317b957d8f4946099

SHA1
3ee5843b3572ac83a5b41519bffaa934cfe8950b

SHA256
1c43991ed9b20a866823cc0cc9a99ee68a7820f470a2082d4547337f3fbc8fb0

SHA512
b897322812bec17f57e2d936d88bc01586d7400364b678872200524ec6f981b6f4756e89f0ae0fa064d6081d1c91e4529502f5a4d82bfab8094d8328e13d43eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5cfo31k.cmdline

Filesize
266B

MD5
2893165dc378fc3bc6b8e2bf6903a073

SHA1
0fabb388b3e37da66a56d00c172b509d7a04419f

SHA256
44450ca614ed5074b16ed148ce69ad0aa8e1d851d8bf992a43f33933a25c882a

SHA512
9daacc1b49e8bb444813eab3b5e645b02ab86186aadabb8ef16eff6d31934bd500d7f9f0a5ad3b83c5018239877b71221ce25db3831c87a4c3e32e464144f6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29AE.tmp.exe

Filesize
78KB

MD5
43cfb1a2d279f6894ed5cde97c54272c

SHA1
17bcd1c212fe70a10ffc9464db45b26b0bbc68ed

SHA256
21e5281d5dad0954209e78fad63f5c694b45a66f0742fe8c79e65be8d72eb79b

SHA512
1d75cecd75b69defdde9e84ea239739e620fddec901971fc8f7f5d46475f4eff941fb8dc95ee75637e2cf697af492eb041f24957794a583ba9ae5540a3379b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2359F81DBC8E4684B8F9542E55807051.TMP

Filesize
660B

MD5
51f7ce6cab0457d4aa59e005bd146ce2

SHA1
84118e25e44ee875465732960a04cfdbfb7b33bd

SHA256
664be5da476369c7a150cf0bcc51a399755ba84704d49e7a7b00bb31ea5cf672

SHA512
9335b39d4eee1bde95399a72d39ae954e2d51bbdb56d9e191b5368386233f3910ca1b4fff6278246d45b3872d9143f8b4e49d7ddc092add47d16c83696b3725f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3064-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3064-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3064-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

Filesize
4KB

Download
memory/3064-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3164-9-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/3164-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4016-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4016-25-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4016-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4016-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4016-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4016-30-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4016-29-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download
memory/4016-31-0x0000000074BB0000-0x0000000075161000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads