metamorpherrat | cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f

General

Target

cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe
Size

78KB
MD5

ff8f48e89cdd1f1bb1373e4030cf36dc
SHA1

d1e97a665c5ea8c2d6ade1a6438217993795b1d5
SHA256

cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f
SHA512

15bfe443c92bbd35e940c04704cdede2e53fe07e11f2e778ca61943324cbceb635eb2155d254181c9d6644db0601f6d528661a205a6ee238aa1935ab9e5a625d
SSDEEP

1536:YoRWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMu9/SG:fRWtH/3ZAtWDDILJLovbicqOq3o+nMup

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe

Deletes itself 1 IoCs

pid	Process
5080	tmpD5BF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5080	tmpD5BF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpD5BF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD5BF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe
Token: SeDebugPrivilege	5080	tmpD5BF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 4944	2008	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe	85
PID 2008 wrote to memory of 4944	2008	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe	85
PID 2008 wrote to memory of 4944	2008	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe	85
PID 4944 wrote to memory of 3036	4944	vbc.exe	87
PID 4944 wrote to memory of 3036	4944	vbc.exe	87
PID 4944 wrote to memory of 3036	4944	vbc.exe	87
PID 2008 wrote to memory of 5080	2008	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe	88
PID 2008 wrote to memory of 5080	2008	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe	88
PID 2008 wrote to memory of 5080	2008	cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe	88

C:\Users\Admin\AppData\Local\Temp\cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe
"C:\Users\Admin\AppData\Local\Temp\cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qluvqu9p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc877264679C554C5EB53456E8A78148F6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cb9a89b457c4f0c79fdeca213ab313a3d5e360d9021773c7e23290e3d70a9c8f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD6D8.tmp

Filesize
1KB

MD5
5ff0a52ef4f4cfdbf45c5954a0a250f5

SHA1
28a91df2e28b3ead68feb238f5d5c60a34444174

SHA256
27383919a6e2ce7383cfa3ba0117356d608f9e8d1bff060cbbf9a8b1c18a08dc

SHA512
c08b803d6946a88f44b234ec8d4895ddd3e4a8b0add26ccb084e1ce732d86df519d7c9de7609b5e420107764dee94e8290e1b72c5937a4402c680aa888689614

Download Submit
C:\Users\Admin\AppData\Local\Temp\qluvqu9p.0.vb

Filesize
15KB

MD5
6585d1611e17551fcb0a4a1320fe825d

SHA1
e748a49a5767b484a0c107ba1d062099d1958dda

SHA256
660c098798a3779eb67b98c9b3e677271910f76cb5632cead2303561c6569b4f

SHA512
15aed0938affb86ebb0e1e5998769a01f8634541969b82e3f073e2cf239ed72662e8b90e15efe3e3afa6720d0447162650b6e8df115f71bdfaf17c3cb728832b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qluvqu9p.cmdline

Filesize
266B

MD5
1927282a2a9f7b3da5ac46c07ef0eac4

SHA1
dcc0e879de46575d4bdb4147636ef09dcb2a186b

SHA256
109e2b3b4a2feaefd42beffdf3ce7e049eb0a1d2c8f1b1e3a403306dd19386ed

SHA512
1e87af12002bea76091bfd986fa9b1e7494fe0b7a816fa748ae1696d174ff0568020a60a238524a3fe5a8364ecf28878702022a727c269c71350dad0a51e6cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe

Filesize
78KB

MD5
b2eae9d839349b5ba56cf6d92d45b5ad

SHA1
22fea949c4df98093848433ed3899ef9da64772b

SHA256
6515a6bad66ad0737c9b3c391f1867030c681fdb845098f0317b98320f5e9939

SHA512
cc43e8f4976c69973f6d5ba987266b102288a26f7988cf14e420c4cc02676c23dc0099863701497eff02ed9bbcc78bffc8cd0c2b498e9f4a7e726bf44d79c50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc877264679C554C5EB53456E8A78148F6.TMP

Filesize
660B

MD5
2fb2719bb4eec126f3e4bc6024e033eb

SHA1
72397a1f1320214f912d8be32e454ebe98f7110d

SHA256
e53c87f061f0d392443317a7a099318e921a61dac58f3d4bc725f6aaf585fa1b

SHA512
379a517931ce9c89fa9a74e44a8265eb4202a3d6511a3a2fd4e7cd7afdbfed4611cd2cf288262ea40e57d17c2ace5be645685b14edb5ddad0f4f1fd7e71f6b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2008-1-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2008-2-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2008-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/2008-22-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4944-8-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4944-18-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/5080-23-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/5080-24-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/5080-25-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/5080-26-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/5080-27-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/5080-28-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads