metamorpherrat | 155116ff317590abcdc9d3995f8613af3ec569fd2f7ad4cba7e1fee63cbb4a72

General

Target

72be6a06caeeaf3d7eb5efa353dcadb0N.exe
Size

78KB
MD5

72be6a06caeeaf3d7eb5efa353dcadb0
SHA1

865654bea69023d7c271ce612c5de100fb7a9f9e
SHA256

155116ff317590abcdc9d3995f8613af3ec569fd2f7ad4cba7e1fee63cbb4a72
SHA512

5fc9d1a6b29d3333382aa44f1839b1cafce7aa5bf3f9fd4524245e6e440e3298eaab90b563cd1c3c90ecbb6c9a7a615459fa3cef5c4a9e2dab76b0886a3556f3
SSDEEP

1536:nosHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt/9/613s:osHYI3ZAtWDDILJLovbicqOq3o+n/9/H

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

72be6a06caeeaf3d7eb5efa353dcadb0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	72be6a06caeeaf3d7eb5efa353dcadb0N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpAC4D.tmp.exe

pid process

2200 tmpAC4D.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2200	tmpAC4D.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpAC4D.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpAC4D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

72be6a06caeeaf3d7eb5efa353dcadb0N.exetmpAC4D.tmp.exe

description pid process

Token: SeDebugPrivilege 1100 72be6a06caeeaf3d7eb5efa353dcadb0N.exe
Token: SeDebugPrivilege 2200 tmpAC4D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1100	72be6a06caeeaf3d7eb5efa353dcadb0N.exe
Token: SeDebugPrivilege	2200	tmpAC4D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

72be6a06caeeaf3d7eb5efa353dcadb0N.exevbc.exe

description	pid	process	target process
PID 1100 wrote to memory of 3728	1100	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	vbc.exe
PID 1100 wrote to memory of 3728	1100	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	vbc.exe
PID 1100 wrote to memory of 3728	1100	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	vbc.exe
PID 3728 wrote to memory of 3852	3728	vbc.exe	cvtres.exe
PID 3728 wrote to memory of 3852	3728	vbc.exe	cvtres.exe
PID 3728 wrote to memory of 3852	3728	vbc.exe	cvtres.exe
PID 1100 wrote to memory of 2200	1100	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	tmpAC4D.tmp.exe
PID 1100 wrote to memory of 2200	1100	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	tmpAC4D.tmp.exe
PID 1100 wrote to memory of 2200	1100	72be6a06caeeaf3d7eb5efa353dcadb0N.exe	tmpAC4D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe
"C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oubi_sqx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55A198E5CF1C46C287CC922BD07031EE.TMP"
3⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESADB5.tmp
Filesize
1KB

MD5
fd2b84aff380ba07f514ee4fb0254d73

SHA1
5b9e2453c6249a9fb9ac7cf59cb003deff2e4bd2

SHA256
d63d0a7f596d3d5ef8e83be12aa479402f0a6745a5c7b1be28e1f5ccc4e7b277

SHA512
8a2425ddd97bbb2458c70c26cbd93e3a722f7499446b3533a15c049d4bca7d93bf2ef94d466f088f92f2cfbe99be9b971cd646b75b345ff980abfab594b80e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\oubi_sqx.0.vb
Filesize
15KB

MD5
38133d42ec498eee3d113894ec294608

SHA1
723a7319e35282813ea2a667b76e12083b16fe9c

SHA256
6f2793e238d1f50f09d3987ea565cb78213675bc18a565db297470bfd559417b

SHA512
6ea68f3b9bc5bf1244b05c0581dcdbf11fc2191d18f67b3e9387e7b3fdb0b7cfb81dc881f19d6366749eca942deb01c2138f7924fd4ae699f587c96b758db510

Download Submit
C:\Users\Admin\AppData\Local\Temp\oubi_sqx.cmdline
Filesize
266B

MD5
c6ff39c15f00b66e7d3196abf4a1035b

SHA1
8ec7bf6882f636c97a025c7c4ccffaaf8081e9c9

SHA256
4f5f0b6e86a25869eb2f1872610e61e1524c55420a1e028532e94d7653fc175f

SHA512
6c179cdc4e68f1fd0c7bd8443c28f61619c11aa4dad607869be4c93533a05e2a10e9df1491555ef1d93d54b0e7cb63be512f825480720136bacb38cf95be0b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe
Filesize
78KB

MD5
23b8129d96a357fcc6ecfe893d45d43f

SHA1
0170b564cd903c6b92aadb8f8c4c9df531974a2d

SHA256
0f5c5de8fe410d8e279d9ce062d2e2cd05c64edad8d42022521908c682387677

SHA512
dfcbb456c3eb1254ccfab198fc7b4798901c425eb0222984a4f615f8ee48f639290122e64dbc6fcb041dff6b00a3021ca6d960c5f5f6b09ab3b97dfd3f3ef72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc55A198E5CF1C46C287CC922BD07031EE.TMP
Filesize
660B

MD5
0bb851c23841754e6df65606b80a9f09

SHA1
b8c0089980f2755c2a47341f43d95f7c3259ec42

SHA256
f8177305a678504c405aa7318e02f93cab17dc6cf530a368a6f2090044622372

SHA512
e37087bf7414dc65eb00d5a3add8d1bee979dd4fc1061fbf9581c8607657ff944d3ed45a72b6e9ee1679c1a9c926ba22c5815f4eb387c4faf7dc218a0d3f3163

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1100-0-0x00000000750E2000-0x00000000750E3000-memory.dmp

Filesize
4KB

Download
memory/1100-22-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/1100-2-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/1100-1-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2200-23-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2200-24-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2200-25-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2200-26-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2200-27-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3728-9-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3728-18-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads