metamorpherrat | 59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026

General

Target

59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Size

78KB
MD5

35aeeeb9a0dac70088272a88f1d4bbf5
SHA1

4f4bbeed2fc85924d08595dfb7a7828bcc1b9521
SHA256

59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026
SHA512

c82d4a5e743c392f5b08c0aa7fe8058af88568e8e99fb698c608807fa6a0d10e7e5c45612bf58cd810bf0ba9d67d50ae332b3ba74bb5866f85a07749d299fd98
SSDEEP

1536:/osHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtw9/j1W:gsHFoI3ZAtWDDILJLovbicqOq3o+nw9w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2732	tmpE37C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE37C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE37C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Token: SeDebugPrivilege	2732	tmpE37C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2792	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	31
PID 2084 wrote to memory of 2792	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	31
PID 2084 wrote to memory of 2792	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	31
PID 2084 wrote to memory of 2792	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	31
PID 2792 wrote to memory of 2684	2792	vbc.exe	33
PID 2792 wrote to memory of 2684	2792	vbc.exe	33
PID 2792 wrote to memory of 2684	2792	vbc.exe	33
PID 2792 wrote to memory of 2684	2792	vbc.exe	33
PID 2084 wrote to memory of 2732	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	34
PID 2084 wrote to memory of 2732	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	34
PID 2084 wrote to memory of 2732	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	34
PID 2084 wrote to memory of 2732	2084	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	34

C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
"C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vrxli7cc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE467.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE466.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmpE37C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE37C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE467.tmp

Filesize
1KB

MD5
69c3c42817a5b4d0bf650a7098dc3056

SHA1
108e9962e071596a648659e274c3c99e447ffd56

SHA256
7e6db2750a7c3a3ef34da98269942b7818acb151b36e6a32f07c11d402e25584

SHA512
88bb118d65db821e96a4808446d1300a96d92d3e1697613ea675ee7391cfb423053dfe5f7c3d9909e1edd2f2798857037c934a9c8f037c4c5c10184f409d0333

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE37C.tmp.exe

Filesize
78KB

MD5
47924952872776f360a61820cd6a5ce8

SHA1
788b7326898e3cc0c07a3225405d06aa62796783

SHA256
7c8f434ede37b39cf577d1e41515a223436b376c278c21d10742424c76e8f5e6

SHA512
1e5c3a8e22b02bb0f7a5ce79a570010144216c472c26bc176c48c0f8453412cbf09b90842c1fafe4736be44608003223c261a9a2f27ec638e17a87d644af67c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE466.tmp

Filesize
660B

MD5
48dbf284264476b400d42d7d053bd1ed

SHA1
bd89af63e38a51e70b4e0d8b71e8d7c9084cb94e

SHA256
e915c5d7acb002cc3019ced18c2fcab1a08b8482ba74a9d7c1998e49a1e096ef

SHA512
ec16d8d3ab66a8fccb0c8ee1f81772e0adf521c70a20dd53a9eb9768eb2facfec49838a81ee8cd97377a568fc3a0a2e3dbc837bce7ac81024d8cc0f0b0136548

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrxli7cc.0.vb

Filesize
15KB

MD5
3e9ebdfb586516be1a2ffa0ef47a5a7c

SHA1
3082b5717a6cc7143066e9a9c06d5f40427f4dd3

SHA256
f2ec94b11fc733189b4442a0c787d686d9977869004029035469e694ba926b51

SHA512
9b113ef26c0e4c722a70d3deccfad81b122ce48273f990f2d01c8f0db41fd13f2e3ac5d9b36ec5000c25868d3ca932f86dfd2723ed5c8c18ded9384cbbaebb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrxli7cc.cmdline

Filesize
266B

MD5
21a17dae375724328927bbfceb67c25e

SHA1
422b5f002217cd29313e30f1935caea25b297036

SHA256
52ae161f050587451c6f8436b8d7c49412205b00a543c5964edf4024d9cd7ffe

SHA512
c97b405aa8c90cf8a954093080470dfb3d6626536486660092ffcd1174185df15ef73669c15058f518d582c4d4307d54622ce6a0450bb37fdc821b9fc61508e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2084-0-0x00000000745D1000-0x00000000745D2000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-2-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-24-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-8-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-18-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads