metamorpherrat | 59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026

General

Target

59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Size

78KB
MD5

35aeeeb9a0dac70088272a88f1d4bbf5
SHA1

4f4bbeed2fc85924d08595dfb7a7828bcc1b9521
SHA256

59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026
SHA512

c82d4a5e743c392f5b08c0aa7fe8058af88568e8e99fb698c608807fa6a0d10e7e5c45612bf58cd810bf0ba9d67d50ae332b3ba74bb5866f85a07749d299fd98
SSDEEP

1536:/osHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtw9/j1W:gsHFoI3ZAtWDDILJLovbicqOq3o+nw9w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2852	tmpE994.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE994.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE994.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Token: SeDebugPrivilege	2852	tmpE994.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2020	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	31
PID 2980 wrote to memory of 2020	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	31
PID 2980 wrote to memory of 2020	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	31
PID 2980 wrote to memory of 2020	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	31
PID 2020 wrote to memory of 2828	2020	vbc.exe	33
PID 2020 wrote to memory of 2828	2020	vbc.exe	33
PID 2020 wrote to memory of 2828	2020	vbc.exe	33
PID 2020 wrote to memory of 2828	2020	vbc.exe	33
PID 2980 wrote to memory of 2852	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	34
PID 2980 wrote to memory of 2852	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	34
PID 2980 wrote to memory of 2852	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	34
PID 2980 wrote to memory of 2852	2980	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	34

C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
"C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r78tn7hi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB68.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\tmpE994.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE994.tmp.exe" C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEB69.tmp

Filesize
1KB

MD5
b5f8f2112fcc946cb6cb90760e820234

SHA1
34d290bc597d6caf0892b8e89f23657f6487a22b

SHA256
957a1ac6bc40ed4285abbbd3d849cd1c6f6112dcc0b2a33ec966995cd225e378

SHA512
9c171168f4d032d04743bd8ce2975980074bd54265eb9058015be8e8f454d07b5f1a148ab8a4c85800a760537d885c92a09d63a8c5d5a5b2d263731aacdfcede

Download Submit
C:\Users\Admin\AppData\Local\Temp\r78tn7hi.0.vb

Filesize
15KB

MD5
172742b188bd42e87dfdc15f563a4996

SHA1
cac87b15232fe1275ff677104274e9ae8aab58b3

SHA256
91be7b8f35d0c9e633e62526b3662427022099f78ece3f289cf7e875aad35981

SHA512
3ce0fe6b16775d9250be8ae8773fdf7a95cef7c157fa161aa868cc11d537432e677e1b404f880d782b77236b770a955eb962072e1f8f5e4790f982463dff8493

Download Submit
C:\Users\Admin\AppData\Local\Temp\r78tn7hi.cmdline

Filesize
266B

MD5
19f2419333151c028e4ffe3e81cb29e4

SHA1
9db83b9e543b5bf0df5721e98133a8d0be511fe0

SHA256
ee697e34d66d9871257433553ebf1fd41ece82f59a41297ad64f574897fa91cb

SHA512
fe50b65860e046f861d612ba7daab76ae05ee63a0743b2caca4dcb3d636bf35c590cd69586e968e0f561067d388bc6feba61e6e62cd9553a899bd5489a263491

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE994.tmp.exe

Filesize
78KB

MD5
ec8ef8519d1ee44e58e01a7e7620270c

SHA1
e930d941eda4394b9bc72c67173e870dd16695a9

SHA256
e2f5db3a2b570d35f95f4d91e6b6c580ca222941903e801d642997f5c1686dfc

SHA512
b493f7071a67b7357232f72274a6c6b5a2a9204b8c739cea40cc4ea9c091a4d571712d69189f0d3daa4b68cccf1fff09d122743d59339eecbf2633b137441b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB68.tmp

Filesize
660B

MD5
ce16612904b409764066b0874d72f24d

SHA1
246c43edecdc2cec5b852b75e10404d322c66f9c

SHA256
f6b7cf18a95eae6261d6c08271eabd0a657620d1884d2767b6aaf0a65b67f61e

SHA512
3ab4636e5ee14cb632181148b282e7483ca9819f86c798012044af30dc11d9a205df07a237a962b4f51eba7b7d2e1291c61d572f5961fc6d5d465b5488653a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2020-8-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-18-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-0-0x0000000073FE1000-0x0000000073FE2000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-5-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-24-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads