metamorpherrat | 59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026

General

Target

59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Size

78KB
MD5

35aeeeb9a0dac70088272a88f1d4bbf5
SHA1

4f4bbeed2fc85924d08595dfb7a7828bcc1b9521
SHA256

59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026
SHA512

c82d4a5e743c392f5b08c0aa7fe8058af88568e8e99fb698c608807fa6a0d10e7e5c45612bf58cd810bf0ba9d67d50ae332b3ba74bb5866f85a07749d299fd98
SSDEEP

1536:/osHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtw9/j1W:gsHFoI3ZAtWDDILJLovbicqOq3o+nw9w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe

Deletes itself 1 IoCs

pid	Process
3504	tmp94AE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3504	tmp94AE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp94AE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp94AE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
Token: SeDebugPrivilege	3504	tmp94AE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2044	2164	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	83
PID 2164 wrote to memory of 2044	2164	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	83
PID 2164 wrote to memory of 2044	2164	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	83
PID 2044 wrote to memory of 2584	2044	vbc.exe	85
PID 2044 wrote to memory of 2584	2044	vbc.exe	85
PID 2044 wrote to memory of 2584	2044	vbc.exe	85
PID 2164 wrote to memory of 3504	2164	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	86
PID 2164 wrote to memory of 3504	2164	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	86
PID 2164 wrote to memory of 3504	2164	59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe	86

C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
"C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sewk80ht.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9606.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc156698BD42E64EAD86D225EEBB7449EF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\tmp94AE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp94AE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\59bdabe954838f6d4cb4428731e244a7c6e3cd056a9911b007b6219498c2b026.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9606.tmp

Filesize
1KB

MD5
381579427c4982ac906a27e3d9e55d69

SHA1
190d7e3070e85625696ca22db7ce1473e08191e4

SHA256
596def739fb4fd28d1ca8d677442559fea0273cf8724aea0e5f038f470a65a8b

SHA512
0f4ce69edb1353df36ea170826b13e0434904c25cad1a20f333fecd483b6182db8f20f8072d6158b01d7a8664c82e593372328021a01f4eab6f10ac0800a76aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sewk80ht.0.vb

Filesize
15KB

MD5
04ac76106cfdc3bcc1b1546853ddf04c

SHA1
cf6fc7fb7f64c1163f1137ac71cc4a2aa66f4e13

SHA256
322a3dae857999de790a583da3b6d8159cf5bc3288a14e6576c829f0798ec1e5

SHA512
ad9fe91b4c6b0f03b239df8f47a80f7c5e5dcad90b3c83432114ad2d754e546afa950401d7dc5009564b5e81041584f0bc076ebab0b63029f00a82ec6e82b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sewk80ht.cmdline

Filesize
266B

MD5
e14570871469794eb07088fce09d3d21

SHA1
cd7320ab968062cfa166d14507641f3d66e27530

SHA256
36dbf8e3dc87426456786d7028dc5c8e57f736880e318e258eb1972b9af9b4ad

SHA512
9458099417cef428d137352170fe2d2e9820701e1583a7513bfcee4aecc061d7809f572984120277bd2d16c003099be8c7f60b338174c48d43846dac5b3b0c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94AE.tmp.exe

Filesize
78KB

MD5
59e498ae6daca7e4c77b72efa431440e

SHA1
0971ffdf97fbddcd1428949e9171f1bbf92c2571

SHA256
6c5a6387182910feb3ef1b2cc32c879bb9b5574651ebee5f8e00df7cfd23ae49

SHA512
1047104e32774c7f2fa5d578f00e18bba7b93fae2a8be03f5d6bb075f19f9a88dfb8346b549aac91f0b86bc458f877da8200644864949682c5a4119fdd71b868

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc156698BD42E64EAD86D225EEBB7449EF.TMP

Filesize
660B

MD5
dccd981546304854245fabf816b421cf

SHA1
4de46447b546ba7b3a76482887cd4c8c979997ed

SHA256
308f4c2194eb20c63cf58b908541b52b5e1d631d0554df9150d6db09a1f72459

SHA512
ce4618dcf4f6837cb5762a167c0e166bd01d07a686ffc8f1abc98e93a8393ddc2416d8fe825b835e4ffb3cd81a8a2891c04ff7943ea0d88bf1a458002030f5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2044-8-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2044-18-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2164-0-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

Filesize
4KB

Download
memory/2164-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2164-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2164-22-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3504-23-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3504-24-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3504-25-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3504-26-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/3504-27-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads