metamorpherrat | 9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92

General

Target

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
Size

78KB
MD5

47ef6cc39cfe744caa60f26c0a40a380
SHA1

c95ee19fa00d3d07932b653377efc0957d65f611
SHA256

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92
SHA512

e567775f9ac0d1e012d385ba24f9519fe40f9613f70b3132654a1614e7536aab96a8d79176f1da713fbe3524a7842baf98fcb3f3f9ccf176edfd72463df0498b
SSDEEP

1536:8Ty5jSEAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6A9/T1Xz:sy5jSEAtWDDILJLovbicqOq3o+nI9/B

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe

Deletes itself 1 IoCs

Processes:

tmp6E89.tmp.exe

pid	Process
5084	tmp6E89.tmp.exe

Executes dropped EXE 1 IoCs

Processes:

tmp6E89.tmp.exe

pid	Process
5084	tmp6E89.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp6E89.tmp.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp6E89.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exevbc.execvtres.exetmp6E89.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6E89.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exetmp6E89.tmp.exe

description	pid	Process
Token: SeDebugPrivilege	2936	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
Token: SeDebugPrivilege	5084	tmp6E89.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exevbc.exe

description	pid	Process	procid_target
PID 2936 wrote to memory of 4968	2936	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	83
PID 2936 wrote to memory of 4968	2936	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	83
PID 2936 wrote to memory of 4968	2936	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	83
PID 4968 wrote to memory of 4824	4968	vbc.exe	86
PID 4968 wrote to memory of 4824	4968	vbc.exe	86
PID 4968 wrote to memory of 4824	4968	vbc.exe	86
PID 2936 wrote to memory of 5084	2936	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	89
PID 2936 wrote to memory of 5084	2936	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	89
PID 2936 wrote to memory of 5084	2936	9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe	89

C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
"C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kf8q_5lu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0F5BB6E15034C02B9907C8C236BEF41.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
- C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6FA2.tmp

Filesize
1KB

MD5
611b8a16ff704911fe3f8b9d8dc5155e

SHA1
8d2226eb95537ac29bd9154323298ab3182ec973

SHA256
b52c51b2081b577eaa6e030e3ece1305b89451ae363d07eb8636d4495ba5c3a5

SHA512
f9e6498e884421f9aabeaa0ddd6a2909f7c6a0cd8bfe33e88a0a130a78898b11758f4873218f2d7ab95289fc1cfb0120c0a35b8dd29c871f065fdfec9e8c769d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kf8q_5lu.0.vb

Filesize
14KB

MD5
c8bfe5923a147c68e9c9bb3feab38e83

SHA1
63921ed51dc9bd978824e11a35a0fcc9ec39b88c

SHA256
78b7cb0e654060cba12655d3abe14e084b1191338eb8e5eb8261e5fe07b8f144

SHA512
eacd17163788dceeb91b8a09d54aba2b43ec0b7c6888f2b6bfed2dc5133cc145711606bfdd48e5e71e2c51b001ab65064365a6e72f72fc329c58acfe16b7581e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kf8q_5lu.cmdline

Filesize
266B

MD5
1ddbe5d1d3b56067bcaa4f0d06b0aab8

SHA1
c203a5c4083f40dd9af78585175907584a8450f3

SHA256
9ccac78dda2367d4b397fc171f166632d1b40e30228b3c4d569013abfb7c5e9b

SHA512
015688fc3dda059d93b0696e96c9db4404593f4804f6931e96e4a14376c35721cd62fc51a97b950e726aa7eb507ef3d11fa477def9d7dfbf7eab3f03cef63f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe

Filesize
78KB

MD5
494a0eab8e3ec388b3c0b937c2917501

SHA1
58d6a3930f61ce877be2d4c1ddf63c9dd7dd05c0

SHA256
ff948d3812618a599342239f6202e6b2f24088050899b82d03ed0a2d24788355

SHA512
85f3d186efea77db9b4e74675b2c7426b975046fdfd66e703c794c97b9c61bd49bd810ac9ca1f796d37568bf761a357af1aa271027ccc8295d62929e5e704904

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC0F5BB6E15034C02B9907C8C236BEF41.TMP

Filesize
660B

MD5
beb012940b5be7f7124b7923454a920a

SHA1
a481e80adfe594ac34e151427cbb1decd10988ee

SHA256
6bed8113afd4de5d11ff1708b0bf558a837a777bbe74438bc0555dd9c4130710

SHA512
8d9dfd57bfd766f540353143b9c778838d5f8b9a99bc29e56b7d6b365c2c903cb4d91433059d45740d531692d6fd71b9e37ab0f6b9a5a6c180252c35cf704c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2936-0-0x0000000074F32000-0x0000000074F33000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2936-2-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/2936-22-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/4968-9-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/4968-18-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-23-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-24-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-25-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-26-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads