metamorpherrat | 777ee8728510bc40496d40fff073848081d19135c4ae88210e4a1d8c3196a007

General

Target

818455c49d4f7d1ac72755eab5482b20N.exe
Size

78KB
MD5

818455c49d4f7d1ac72755eab5482b20
SHA1

c944c539adb88a3bf2a7f3cf16147e5d1d027fb2
SHA256

777ee8728510bc40496d40fff073848081d19135c4ae88210e4a1d8c3196a007
SHA512

fe8212b80a27324821e3490961efb46648d0f741273e328ad344a694763e1c9d6a069887087b9381800941752104537b252c286230ddddc130b7862cb2ba63b0
SSDEEP

1536:8A5jStAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti629/P1TN:Z5jStAtWDDILJLovbicqOq3o+n+9//

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

818455c49d4f7d1ac72755eab5482b20N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	818455c49d4f7d1ac72755eab5482b20N.exe

Deletes itself 1 IoCs

Processes:

tmpBAF3.tmp.exe

pid process

3684 tmpBAF3.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpBAF3.tmp.exe

pid process

3684 tmpBAF3.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3684	tmpBAF3.tmp.exe

pid	process
3684	tmpBAF3.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpBAF3.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpBAF3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

818455c49d4f7d1ac72755eab5482b20N.exetmpBAF3.tmp.exe

description pid process

Token: SeDebugPrivilege 1060 818455c49d4f7d1ac72755eab5482b20N.exe
Token: SeDebugPrivilege 3684 tmpBAF3.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1060	818455c49d4f7d1ac72755eab5482b20N.exe
Token: SeDebugPrivilege	3684	tmpBAF3.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

818455c49d4f7d1ac72755eab5482b20N.exevbc.exe

description	pid	process	target process
PID 1060 wrote to memory of 4552	1060	818455c49d4f7d1ac72755eab5482b20N.exe	vbc.exe
PID 1060 wrote to memory of 4552	1060	818455c49d4f7d1ac72755eab5482b20N.exe	vbc.exe
PID 1060 wrote to memory of 4552	1060	818455c49d4f7d1ac72755eab5482b20N.exe	vbc.exe
PID 4552 wrote to memory of 4576	4552	vbc.exe	cvtres.exe
PID 4552 wrote to memory of 4576	4552	vbc.exe	cvtres.exe
PID 4552 wrote to memory of 4576	4552	vbc.exe	cvtres.exe
PID 1060 wrote to memory of 3684	1060	818455c49d4f7d1ac72755eab5482b20N.exe	tmpBAF3.tmp.exe
PID 1060 wrote to memory of 3684	1060	818455c49d4f7d1ac72755eab5482b20N.exe	tmpBAF3.tmp.exe
PID 1060 wrote to memory of 3684	1060	818455c49d4f7d1ac72755eab5482b20N.exe	tmpBAF3.tmp.exe

C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe
"C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mgxnh8jf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1DD413EB81B4260B8E49E8AD29A4EBA.TMP"
3⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\818455c49d4f7d1ac72755eab5482b20N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBCD8.tmp
Filesize
1KB

MD5
3d64156068ac9265a65a4a6f28ae0c25

SHA1
e9dd8daac355a7fa7894ebd5bd6b736dddadaadb

SHA256
955f681b4440304986b3f1a37792014fb6202a18c8c5139206a9fdbef9086df2

SHA512
85d3514c64cf3f826893c9c5f1f70ed0cc4639e753ecd6e1675efc2bfe40810fda79bba1215b5b36ec1166e5b9b1433e50c62e00408eb3f3788d58b1b82e841d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxnh8jf.0.vb
Filesize
14KB

MD5
1415d03f77ff1f0506f2333750dce18b

SHA1
5067da76da254a09634cdc7be4dacbabb91fafea

SHA256
8f2cc930370c4f7af1a293932603f10ffd9327ef1fef3d03e4fe53dc10d7a6b7

SHA512
397f0329a7e340b277439a5ada7c8f4b29090e3f8795cbe4920d7e04e89faa5eb54045eb0e2f02787f9e8a0d49f97c5bf0d4fbcc3822728208d421cdd051ef3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxnh8jf.cmdline
Filesize
266B

MD5
091fb5bcae0110a28cf951fd9e57fe48

SHA1
f1f94cd18895b0122ef02817ff322304d19c7cd5

SHA256
aae9832ab4bddeeb129f81b9d610f495b614c43831b569b0d66d8f2bef0eeb66

SHA512
090b0eccdc3ef2bc7d8f9a50c3e63aa1d6965d040e9b1cdc8d804a99d0184d867097ad291b6efb2404d53a0e7336b1820c3c74770c1371e3ab5f7b70a08ba45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.exe
Filesize
78KB

MD5
d41405b30b66dd4217aec97b855b8044

SHA1
f74db53a9b13af5d49c5a71da78dc1c9f5530c42

SHA256
f20a3ff72aab049e29b11449f51a1935ca3ca20b37c8a3312b0f7ec9cafd5b00

SHA512
86c54664c0b4d08d7b6b9ff4e3de6604dd828068c9386b3633e37cc13a96ad5ff848d78d8391bc3993b2b204a9ec81c96b7f8443277a8e80060753b899706e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC1DD413EB81B4260B8E49E8AD29A4EBA.TMP
Filesize
660B

MD5
f7abdcfa2b84539c1da113e296ba3be0

SHA1
4cf71e72b1098bec9f90712e53d8f356eb5c298d

SHA256
7927bf2e940917113d95771095e4533b97b129705784933cb005e42cd3628553

SHA512
4b933d4ecee30a74f53414dc74a6811cdbb7a9b8547f760fb112b7c14fa424501b6e65c3482b3b408f1ebbe618115050d600773b68b0a9aa40d194a848cfd07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1060-22-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/1060-2-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/1060-0-0x0000000075092000-0x0000000075093000-memory.dmp

Filesize
4KB

Download
memory/1060-1-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3684-23-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3684-24-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3684-25-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3684-26-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3684-27-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4552-18-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4552-9-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads