metamorpherrat | a2d7363e71cf851be15cf29c963532fdc740f2275a1a686fc1bd3a070730d663

General

Target

ea598db77a9a4bb6029715382d3ebdb0N.exe
Size

78KB
MD5

ea598db77a9a4bb6029715382d3ebdb0
SHA1

3c13d11d762d10162d7f027bc2819e5a1ec78119
SHA256

a2d7363e71cf851be15cf29c963532fdc740f2275a1a686fc1bd3a070730d663
SHA512

77b25e8fde6539968ed46c57732608dda58a249ef4946516e0de38cd23cfa8200a2bca5efdee23e6a83c93b998d56f233e02e605986cec4fa5c1ad99658c9dd1
SSDEEP

1536:4BWV5jSEAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6Mc9/G1JO:KWV5jSEAtWDDILJLovbicqOq3o+nkc9L

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea598db77a9a4bb6029715382d3ebdb0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	ea598db77a9a4bb6029715382d3ebdb0N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp9877.tmp.exe

pid process

4256 tmp9877.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4256	tmp9877.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9877.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9877.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ea598db77a9a4bb6029715382d3ebdb0N.exetmp9877.tmp.exe

description pid process

Token: SeDebugPrivilege 4836 ea598db77a9a4bb6029715382d3ebdb0N.exe
Token: SeDebugPrivilege 4256 tmp9877.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4836	ea598db77a9a4bb6029715382d3ebdb0N.exe
Token: SeDebugPrivilege	4256	tmp9877.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ea598db77a9a4bb6029715382d3ebdb0N.exevbc.exe

description	pid	process	target process
PID 4836 wrote to memory of 4612	4836	ea598db77a9a4bb6029715382d3ebdb0N.exe	vbc.exe
PID 4836 wrote to memory of 4612	4836	ea598db77a9a4bb6029715382d3ebdb0N.exe	vbc.exe
PID 4836 wrote to memory of 4612	4836	ea598db77a9a4bb6029715382d3ebdb0N.exe	vbc.exe
PID 4612 wrote to memory of 2508	4612	vbc.exe	cvtres.exe
PID 4612 wrote to memory of 2508	4612	vbc.exe	cvtres.exe
PID 4612 wrote to memory of 2508	4612	vbc.exe	cvtres.exe
PID 4836 wrote to memory of 4256	4836	ea598db77a9a4bb6029715382d3ebdb0N.exe	tmp9877.tmp.exe
PID 4836 wrote to memory of 4256	4836	ea598db77a9a4bb6029715382d3ebdb0N.exe	tmp9877.tmp.exe
PID 4836 wrote to memory of 4256	4836	ea598db77a9a4bb6029715382d3ebdb0N.exe	tmp9877.tmp.exe

C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe
"C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\toeuzt7h.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F5FCFB828C34AFB92E14F4823952DF.TMP"
3⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES99CF.tmp
Filesize
1KB

MD5
f349a0790d2947bc5a3d9bf531244c10

SHA1
2944a18a1a49337509b4367dabb72c98e07df84b

SHA256
e0c892d52f20a252726cee6b0e2faf4887536289552f5b967a8425827bc4eeab

SHA512
c961532bf324159be3eef86d9baf280fe6760402f9d633cc804e77ca8ec6924a7b1859eebf12bdb15ddcb547be96fd75e068780f4b4e6256ffa523ed791ae412

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe
Filesize
78KB

MD5
e00601bcf9cb753c21e5c661e6114703

SHA1
5e5e8f86cd58c36092b8b4f00e08b05db57453b8

SHA256
ba209c11dbf7d1d6a54fab9b4fca2c655c69b9e9fe082b053669dae7b5c2bc9f

SHA512
aa879f68e0c89b7c72f87924054a4bbd73d5fd1093db808daf0768efae041e004d12446fa10efc4ddcc574ecad7032c88f193b085268284b5f8849a8b0216b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toeuzt7h.0.vb
Filesize
14KB

MD5
40035c9c2ac667cf63253123d1729539

SHA1
9830ab3ae3e2f53c9ad5bd2160ace629e8fbbd91

SHA256
171fa2815fa7e5b6896e7ab647a96170656b62472f6e605980a80b159fdd6882

SHA512
39b84d43788ccbdd5dfa994fe98e3a0eaceaa57c8cf7afb060e5be262c93d95d32d6344fcfc1392e76f59098f4790b1f3b4366dbb3caec2fe9f2218339fc733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\toeuzt7h.cmdline
Filesize
266B

MD5
5e7b8c76cdbcd3585640ad4e1e58b567

SHA1
9c7e108e112bc8095dee2442ae6a4749bff02ec9

SHA256
36184fc8b01776733c068b2be3c4e7b7d72da8ad487524e0fa68bf35613e8fb7

SHA512
4a77cd2fd940f5438b3c279270e4f53fe63671a654690dc690abe1d72085cbf1260a98871c95060a190268ff8571f607812dae36f8c7cc4c48913b091ac8bc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2F5FCFB828C34AFB92E14F4823952DF.TMP
Filesize
660B

MD5
1e840d6471da7f40e766555c926007d1

SHA1
1bc2e691c967a19142931bf153c161eeb9f84da0

SHA256
ea5a9c580fa67a1b5fc44d126ad6013f02ba5a8448436376c14984385afa7a84

SHA512
91c64477057ec849ccfdbcb589a16932ffddf32688d02df5185eb6508d5e3c16deb173558bb6d114eeea9fd7813d37de082901a80a403c6d7660a8fc66285d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/4256-23-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-25-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-24-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-26-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-27-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-28-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4612-9-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4612-18-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4836-2-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4836-1-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4836-22-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4836-0-0x0000000075002000-0x0000000075003000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads