metamorpherrat | 59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026

General

Target

59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Size

78KB
MD5

35aeeeb9a0dac70088272a88f1d4bbf5
SHA1

4f4bbeed2fc85924d08595dfb7a7828bcc1b9521
SHA256

59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026
SHA512

c82d4a5e743c392f5b08c0aa7fe8058af88568e8e99fb698c608807fa6a0d10e7e5c45612bf58cd810bf0ba9d67d50ae332b3ba74bb5866f85a07749d299fd98
SSDEEP

1536:/osHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtw9/j1W:gsHFoI3ZAtWDDILJLovbicqOq3o+nw9w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe

Deletes itself 1 IoCs

pid	Process
4752	tmp85BA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4752	tmp85BA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp85BA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp85BA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Token: SeDebugPrivilege	4752	tmp85BA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3376	3444	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	82
PID 3444 wrote to memory of 3376	3444	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	82
PID 3444 wrote to memory of 3376	3444	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	82
PID 3376 wrote to memory of 3892	3376	vbc.exe	84
PID 3376 wrote to memory of 3892	3376	vbc.exe	84
PID 3376 wrote to memory of 3892	3376	vbc.exe	84
PID 3444 wrote to memory of 4752	3444	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	85
PID 3444 wrote to memory of 4752	3444	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	85
PID 3444 wrote to memory of 4752	3444	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	85

C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
"C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\slgn0dzs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8760.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc268054064B8F4969BAC1CCC21FFBC37.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3892
- C:\Users\Admin\AppData\Local\Temp\tmp85BA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp85BA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8760.tmp

Filesize
1KB

MD5
13c8cda0f478d02747579853f34ee731

SHA1
08e2972f580c08c2ba5e2d8579a88211584c4f29

SHA256
eb4897edca76745b606e159e9dc9e3df509aee2adb60599592bae351cbd6567e

SHA512
9571503a7b48db1889676411828549ecfc8fe30fbdbd5bc5a3bfe3b00fcb06c7c52a1f660566b60b8169f91495b307f4487eaa2c723409fc19055b203f991ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\slgn0dzs.0.vb

Filesize
15KB

MD5
e8aa326f664245bc910b150f5b50a7d5

SHA1
a061ac4ef6d9d529499fe99e205c9bf8a2fddd5b

SHA256
75c89a0612285fbd9baaf4e005b55f212b61ce953895119f16a8ddd1e931dbcb

SHA512
09894b454be58947a32500962a98cc27b9b7ae08d49fdf807e24ff5a61bb50675040f7c14672dc78744deb1c096b7b22dc7c3e0744bd8f2e75e8a36a4461647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\slgn0dzs.cmdline

Filesize
266B

MD5
71b19f548b9526750c5f68118f5fda03

SHA1
fa0d499e319c849f5793ff0cb6e8274f2a8b7e8b

SHA256
e48db35f421c478f987b9955a0fd5ed6acbbbc3c0ced98f37ecea739220a75c6

SHA512
f8aa7314c01c6ddb54c1b0ad0dc3eac1532a9b49d97b30ebc5808a8b9f71bb9d963b8de73d2d3863c0cb09c961a8d7168b1e44103ef020874d42bfe21938b5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85BA.tmp.exe

Filesize
78KB

MD5
05dc07b9377d680bc4100669fa50b2ca

SHA1
401407fd7d0e048348b6812505b84810184d840f

SHA256
65b8e6f174b4faac377df1ffa7d6aa4a05e20bbe89173dd28f6b1ed9362d3202

SHA512
f4cb0556118a23102374563c8fae24b57faab3205671c707bbfcdb67a1f0714201fc816ccbff6e1fca31b84b431121b117ca0625d6d188962870e7e22553fc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc268054064B8F4969BAC1CCC21FFBC37.TMP

Filesize
660B

MD5
009daf75aab141fccb84563a80864d97

SHA1
89cfef17397f755bcc67b945ae6df2b28d357909

SHA256
7497c5c8d29f18ec35bc55fd0c9f7c93adcc58928f0cc0306f86415a33b345ab

SHA512
f9dba9bb1f5b70e4b0429e9650227d96d61e871e19f7c8879ccf45e9178fabf0986b702e931a8ebfdac45fdfae08f4f1a2bf57d8da742628f078e5faca722620

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3376-18-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3376-9-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3444-2-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3444-1-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/3444-0-0x0000000075182000-0x0000000075183000-memory.dmp

Filesize
4KB

Download
memory/3444-22-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4752-23-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4752-24-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4752-25-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4752-26-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4752-27-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads