metamorpherrat | dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5

General

Target

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
Size

78KB
MD5

92facfe16c246b823206bc4a8a294600
SHA1

4a897cec6e32b92b709eab8994fcecee11ee8e72
SHA256

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5
SHA512

9b88773aa3c633339aa2c5d5acabd28dc7bc2e31e9047a9bb36f3eaec23680aba11eb16209ef2698ff75f98be16ec30b08b618de0654dede3fee8a2f70c43680
SSDEEP

1536:foRWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMr9/n6:ARWtH/3ZAtWDDILJLovbicqOq3o+nMrI

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpC542.tmp.exe

pid process

1252 tmpC542.tmp.exe

pid	process
1252	tmpC542.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe

pid	process
1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC542.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpC542.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpC542.tmp.exedce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exevbc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC542.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exetmpC542.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
Token: SeDebugPrivilege	1252	tmpC542.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exevbc.exe

description	pid	process	target process
PID 1836 wrote to memory of 2416	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	vbc.exe
PID 1836 wrote to memory of 2416	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	vbc.exe
PID 1836 wrote to memory of 2416	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	vbc.exe
PID 1836 wrote to memory of 2416	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	vbc.exe
PID 2416 wrote to memory of 2504	2416	vbc.exe	cvtres.exe
PID 2416 wrote to memory of 2504	2416	vbc.exe	cvtres.exe
PID 2416 wrote to memory of 2504	2416	vbc.exe	cvtres.exe
PID 2416 wrote to memory of 2504	2416	vbc.exe	cvtres.exe
PID 1836 wrote to memory of 1252	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	tmpC542.tmp.exe
PID 1836 wrote to memory of 1252	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	tmpC542.tmp.exe
PID 1836 wrote to memory of 1252	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	tmpC542.tmp.exe
PID 1836 wrote to memory of 1252	1836	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	tmpC542.tmp.exe

C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
"C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n1yil_ir.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC65C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC65B.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2504

C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC65C.tmp

Filesize
1KB

MD5
22ffe6264ad77a377e85b810bdb2be96

SHA1
68acbff65827bc43a7d57798341cd7321f451cd8

SHA256
f89f9e82d7d0ee3fcf84c48c8ab085da8b58841ede2fdefa9b0ada88f73d8fc0

SHA512
13505c146bc27eae8655dce8406d1a39d6daa76fbf588ed99f5545a1aae896301129f930a29c29e7b405c3bcf2bcaa05b2d7652989c7b0604131aca75b3a7484

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1yil_ir.0.vb

Filesize
15KB

MD5
e05b7fdd37ffc0aecace2e225098ca47

SHA1
d4397b5629d3f10c313341f9b23b6381f8ae6be2

SHA256
d41e79c8c3f9e7457ed2c398d03d9b8d4610ef47a7cfe6351e0a64f539b6d293

SHA512
52cdd855aa2868354e8f7150d50fd006c67295d88191fbc3a2d211fbd8daa493208d1da1590c040ab07c3e30863c61bac6ee7130b2b83196c4392c9c7b191355

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1yil_ir.cmdline

Filesize
266B

MD5
918d3c699ca71d414f6d96e1d639b158

SHA1
4c48583ff486735d7765a4d10ef1d680f5c1f28e

SHA256
e771242c38c696e773981e78536f12280a7bf4177609be5ec3f74c43c54f8ea8

SHA512
7503ac09c2f90e7e1f103031c91eddd2202ee43ed31b81fc9ae483627484603e644b22a831489e6cd7e3cc608076ab62d653c58822526e5ea3f889fefe46b4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe

Filesize
78KB

MD5
11b577655b9c35054a0edb8d7c188051

SHA1
6990d678156fff24e314a55b29e11d2ee508b59b

SHA256
1102901fc056b15c60edd00c87e5bc8214704d7d001ccec7993e44efcf820198

SHA512
09d8d5faa7bad1ff659c6bd3e3b9a8ea40908e106017ff8de958d0353c565b3b4cb33e57e97351a80288962304980321052036bc8d134e6b36b85372bbe5d91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC65B.tmp

Filesize
660B

MD5
c501f6928a4c1bd13b2e781a74641ac1

SHA1
55a4219aac852ec43115cd2882d8bf15cf68936b

SHA256
ae8db389a144c975de6fbe39618f08fb443a4bb28c59a3207c9b448f9dec2260

SHA512
7639effced40398df85287bcc6f0d202fa661759de91ea6f8afdd837c0e927d0f4a7fc4eb6087850197ba93b6b46c7c59623d4706db5ff88a69a7546776a1c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1836-0-0x0000000074241000-0x0000000074242000-memory.dmp

Filesize
4KB

Download
memory/1836-1-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1836-2-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1836-24-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-8-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/2416-18-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads