metamorpherrat | dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5

General

Target

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
Size

78KB
MD5

92facfe16c246b823206bc4a8a294600
SHA1

4a897cec6e32b92b709eab8994fcecee11ee8e72
SHA256

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5
SHA512

9b88773aa3c633339aa2c5d5acabd28dc7bc2e31e9047a9bb36f3eaec23680aba11eb16209ef2698ff75f98be16ec30b08b618de0654dede3fee8a2f70c43680
SSDEEP

1536:foRWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMr9/n6:ARWtH/3ZAtWDDILJLovbicqOq3o+nMrI

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpF117.tmp.exe

pid process

4920 tmpF117.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
4920	tmpF117.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpF117.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpF117.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exevbc.execvtres.exetmpF117.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF117.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exetmpF117.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3356	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
Token: SeDebugPrivilege	4920	tmpF117.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exevbc.exe

description	pid	process	target process
PID 3356 wrote to memory of 4824	3356	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	vbc.exe
PID 3356 wrote to memory of 4824	3356	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	vbc.exe
PID 3356 wrote to memory of 4824	3356	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	vbc.exe
PID 4824 wrote to memory of 3572	4824	vbc.exe	cvtres.exe
PID 4824 wrote to memory of 3572	4824	vbc.exe	cvtres.exe
PID 4824 wrote to memory of 3572	4824	vbc.exe	cvtres.exe
PID 3356 wrote to memory of 4920	3356	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	tmpF117.tmp.exe
PID 3356 wrote to memory of 4920	3356	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	tmpF117.tmp.exe
PID 3356 wrote to memory of 4920	3356	dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe	tmpF117.tmp.exe

C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
"C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF28E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DD9AF7E7614E9BB82CE93FF5E0A552.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:3572

C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF28E.tmp

Filesize
1KB

MD5
e369f6c8cae764ae660e30432ccba239

SHA1
029ea92d3570227852cd651eadce9f58c17cb5cb

SHA256
66b9096dfe938455a4e638dda4477731b467e87dcacec4cddd9d4b88acc2ebb6

SHA512
11da37b11acf43acd23699c64b88eeb5f8f3950418fb8911bc1b76419a1c75ad3a71f89d1e0420c0bfae4352d398e20186941d703616a47c96dd7d90a4a3053e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe

Filesize
78KB

MD5
309e16c91f88babea2ed05f4e2282793

SHA1
4619c0a562e0b1065a89b7cb81c3109b27b6fa17

SHA256
ec0155079b26696a43127f944553cfde0ed75f04177c9ac4433389ef6cf6a1b7

SHA512
1b92eacb8a3ccc11334df9915d154255370e8e0bf6f12d88236bfeb2451bea3d07564e083b24e9622dd027437a147f2d0da7dc0183e4b311d07bcd08972cb4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9DD9AF7E7614E9BB82CE93FF5E0A552.TMP

Filesize
660B

MD5
71265b061be93a939ab31db4dc17336c

SHA1
3c59e735b90550f2d7cd6ba061d555f1affbb3cb

SHA256
7609834282fa09eb9af9b4b34ded8d924a23f42af46b282812ae2a43163687cc

SHA512
672398b16ec0f13f94a07ed6b170a9d9126ed561c5964b54c01e405155964a0c33c2f9b105e63576d879855f5bb0f646c23dd47303855fdf34612982bad059ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.0.vb

Filesize
15KB

MD5
09fad7aba36cdc1227ef37b4b69ab583

SHA1
361f94ac7f244b7d590e1ca66cc9dfebc5080d92

SHA256
ab2b1f4191eb76180ab154e2ddd7901e7900cb26a6df55b7fa0a165ec3506be9

SHA512
4dc97109c79cd015f19eeeeef41a76d8ccb570b6412e0314c13d8009acbf71bb3c42566a5eb490414e90e2a06e597d38d810b4753145f3646f4cff91085f02c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.cmdline

Filesize
266B

MD5
2c06bbd11e506b6794c1a775fcd86800

SHA1
b6380dbbb3e7a2eee53453810f34f4b1761e30ea

SHA256
4f6ed3469d7c70b328660f48880e75e34b3e7ecd852a1c9f12a40d371e8caf2b

SHA512
43162698c7f5a03f34f0c1a03ed2f3abb80feefb808cad0f648113290f0cea055507dc65a861bc0f259778e10b6e13e3950f7653d9a2c5552640aa9afa8baea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3356-1-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3356-2-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3356-0-0x0000000075302000-0x0000000075303000-memory.dmp

Filesize
4KB

Download
memory/3356-22-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4824-9-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4824-18-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-23-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-24-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-25-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-26-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-27-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-28-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads