metamorpherrat | 9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92

General

Target

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
Size

78KB
MD5

47ef6cc39cfe744caa60f26c0a40a380
SHA1

c95ee19fa00d3d07932b653377efc0957d65f611
SHA256

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92
SHA512

e567775f9ac0d1e012d385ba24f9519fe40f9613f70b3132654a1614e7536aab96a8d79176f1da713fbe3524a7842baf98fcb3f3f9ccf176edfd72463df0498b
SSDEEP

1536:8Ty5jSEAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6A9/T1Xz:sy5jSEAtWDDILJLovbicqOq3o+nI9/B

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp928F.tmp.exe

pid process

2232 tmp928F.tmp.exe

pid	process
2232	tmp928F.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe

pid	process
2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp928F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp928F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exevbc.execvtres.exetmp928F.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp928F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exetmp928F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
Token: SeDebugPrivilege	2232	tmp928F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exevbc.exe

description	pid	process	target process
PID 2500 wrote to memory of 2404	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	vbc.exe
PID 2500 wrote to memory of 2404	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	vbc.exe
PID 2500 wrote to memory of 2404	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	vbc.exe
PID 2500 wrote to memory of 2404	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	vbc.exe
PID 2404 wrote to memory of 2248	2404	vbc.exe	cvtres.exe
PID 2404 wrote to memory of 2248	2404	vbc.exe	cvtres.exe
PID 2404 wrote to memory of 2248	2404	vbc.exe	cvtres.exe
PID 2404 wrote to memory of 2248	2404	vbc.exe	cvtres.exe
PID 2500 wrote to memory of 2232	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	tmp928F.tmp.exe
PID 2500 wrote to memory of 2232	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	tmp928F.tmp.exe
PID 2500 wrote to memory of 2232	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	tmp928F.tmp.exe
PID 2500 wrote to memory of 2232	2500	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	tmp928F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
"C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k5w_dckc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93E6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES93E7.tmp

Filesize
1KB

MD5
b12a78782a36fcaa5b826e308e1bb4af

SHA1
86b84434f3da5047deba1e88a6a196c2e2a54813

SHA256
afccc870190009a5fbd1383fe56b7567bd258ed35ef1a3da63377835a54f2b7d

SHA512
d8d9779a74599539c5e627551654f93f5fd2c230a2e4b51d29b6ed4dcaee95324e295c40117f3666033d57e289b05e347f13023e4bca701b86a9640dc9af2522

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5w_dckc.0.vb

Filesize
14KB

MD5
8ecbcd87d9e82de00e44e8c77313199e

SHA1
f7800c411122e136c34ec3b221564fbbc0c6875f

SHA256
944a479475a2085a7f6d331363017a1763cb5686c0f826bc296359753c3e2f66

SHA512
e2bb8f0a76e2b8e01f258e62b6a4ba1bbd0d07d29c004c4ead64ece7fbf1bea085ad00aef63bcbc09d0718f2cd4d9c48fcba9287b2d16894c4fefb31cf8e9eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5w_dckc.cmdline

Filesize
266B

MD5
6c4040ebd713f039f3f68b65a3defa88

SHA1
b27f6b649440a28b2f368ffa6b9a27a6cee391ed

SHA256
4989346cf273f22ec92188b6afd7c3ec962853f067e0a32c04991d286ab7dc8b

SHA512
de3f430fe215e1eaa7ded4558f46c9fca33ce8534591b1d3da7d16bf16c36a16d9a64ca1bfb79f38aa6bbc92d9e1013073ca6a2bfdc25a02fd1d89cbeb52d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe

Filesize
78KB

MD5
b261b8a739d94a56447f6d7a465618e6

SHA1
f37bf864020ae24403fe19251bfffedb9bc7249f

SHA256
810a70d4524b4d42345b1be9c771e0cbb10df8afb972eecebf2b2a3d8423f54f

SHA512
1b6bae981cfb6e2307e835e9c53a9841b6964417f4d650fd3ab15cbd29dcd51693dde2ede31b2a6bda668d051e508cce5538d3ffda4bdd9c4c98b8d28425ebee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc93E6.tmp

Filesize
660B

MD5
0a09da9fd949d30b30231c3d4c073287

SHA1
4f1b27a18a9a844c67f8604872abeb199d9707e8

SHA256
7366e1cc2b4fedb8e4e10de5674072c567ff7d9c3027c42a0c733d3f8920273f

SHA512
e2a76b19cc770c1d6433584aacd56d522e9ac1cee88fd3298b0e9087a018c3f3809a7265555f860e94638c52012e74cb832ffa84c906fe90825e2ccf1ed9916c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2404-8-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2404-18-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-0-0x0000000074951000-0x0000000074952000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-2-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-24-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads