metamorpherrat | dbfb82bf6a221077de349e566df83f95c18c8c8d746b0038d4bc578423f7f687

General

Target

9bde6ba2e8833d07c89b6ec3c5fdec60N.exe
Size

78KB
MD5

9bde6ba2e8833d07c89b6ec3c5fdec60
SHA1

c3e5161e723475c9bbb752977f80829087832048
SHA256

dbfb82bf6a221077de349e566df83f95c18c8c8d746b0038d4bc578423f7f687
SHA512

4588c26ca8a8d468c307c1a1084c324175471b6d34bdafab7735b2264789dcff605f0b40857848662a70e0a45ffbb9bf9bb881fd5c42f397178a6cc5fc6dadac
SSDEEP

1536:XMCHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtJ9/Q1bF:cCHYI3ZAtWDDILJLovbicqOq3o+nJ9/U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2652	tmp2868.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe
2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp2868.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2868.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe
Token: SeDebugPrivilege	2652	tmp2868.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1096	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe	30
PID 2296 wrote to memory of 1096	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe	30
PID 2296 wrote to memory of 1096	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe	30
PID 2296 wrote to memory of 1096	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe	30
PID 1096 wrote to memory of 2140	1096	vbc.exe	32
PID 1096 wrote to memory of 2140	1096	vbc.exe	32
PID 1096 wrote to memory of 2140	1096	vbc.exe	32
PID 1096 wrote to memory of 2140	1096	vbc.exe	32
PID 2296 wrote to memory of 2652	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe	33
PID 2296 wrote to memory of 2652	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe	33
PID 2296 wrote to memory of 2652	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe	33
PID 2296 wrote to memory of 2652	2296	9bde6ba2e8833d07c89b6ec3c5fdec60N.exe	33

C:\Users\Admin\AppData\Local\Temp\9bde6ba2e8833d07c89b6ec3c5fdec60N.exe
"C:\Users\Admin\AppData\Local\Temp\9bde6ba2e8833d07c89b6ec3c5fdec60N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ekdnr49v.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BD1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- C:\Users\Admin\AppData\Local\Temp\tmp2868.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2868.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9bde6ba2e8833d07c89b6ec3c5fdec60N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2BD2.tmp

Filesize
1KB

MD5
b55658ca764ad083f2e6ec3b1f104780

SHA1
71a3a243dc93998592654b04e645369d4f8453a9

SHA256
40296ef0601b345ee70517506e9a42ccb82d704315b446b0c91495a7e9da58e7

SHA512
fc1ebabea7f5ca047ca4aa9119619a03fbfbefa0dfdc841ea62de0bca2ea0b1cda22948b5a6ef732278c5e64361ff5c8cff8e475a6c4f49f857880ce436a84b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekdnr49v.0.vb

Filesize
15KB

MD5
840c73556f7137ee02976ddd4afea330

SHA1
91ab2c6674e397e1432b2d2857f592b0e6b0a445

SHA256
3a0048276799d0bf1b7d4715767895f24942ec05e91cea3b14057a4094d1f89d

SHA512
84a2e69282e6c89d184903ae8660903b8a70e0403d1c42a8eff6fc93aef64261ad19452b9b5f44776023fd96cd05b041e95e9481b7a8828809b1f592a755610c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekdnr49v.cmdline

Filesize
266B

MD5
ddbc6319a7b7a9453acf916f300c8ce9

SHA1
941bf552cfae9a2e9c637cb4bae05d5d96739d23

SHA256
08828f6c7a0df49b536d0f2fdd46ecae6ac5f3b3cd7ec5447557f8b8c89052c3

SHA512
f6a3100d13fb43ffbd009ba9d9e3e195ffe7309188a06864954aad98e718e5fbdf44daab3ab781fbede090cb6ce82f3428aba6164da52e8dce416ba3b50fa229

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2868.tmp.exe

Filesize
78KB

MD5
70724bed2924edd21fe1259dd502dec3

SHA1
46a7f7b41f6456e7bad2de50dce96dd313f865ee

SHA256
deb4e9915b18f356a216a61bd0c6eb594c9f4d8bbbafd091cf80785ed08c5990

SHA512
035f05dbd8a255846d4713d20328e39e8bc4fda34fda26eb00a708699165efb642ae0fa9e94ecdf783a388075613520481ffac51733615b09b9d200f932f1812

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2BD1.tmp

Filesize
660B

MD5
088e0dd17e22d3d03a11a131e31869ab

SHA1
fe6efbd8e431a697db04bd4033baeafb01c13eea

SHA256
d4a0290235ba38c75ce6d5f3c4dc97240373c2b57411c844ec41a2cc9d064a3c

SHA512
523de6c2fadea2d06c9da34c166286470c298d92fea5231231f8d24d2295360c5bceb8086549c559201dceed2f20fbb5fbbee306ad87d92adaa3f57e9c6772ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1096-8-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-18-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2296-0-0x0000000074811000-0x0000000074812000-memory.dmp

Filesize
4KB

Download
memory/2296-1-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2296-2-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2296-24-0x0000000074810000-0x0000000074DBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads