metamorpherrat | 070def2d76946994196689b38aab650d16799ec9632ab44fb9926ce55bc6d2e3

General

Target

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Size

78KB
MD5

0c7da8d5a9cd906b6e7bfa5c6c3e5c40
SHA1

4403b0775b66ad69b326dd5f9abbe736e0ce10c7
SHA256

070def2d76946994196689b38aab650d16799ec9632ab44fb9926ce55bc6d2e3
SHA512

2e05e10e498cfa978aa5865a8de0b7c66ca831f96e2fb170d7b5cec1c2ad39c18e1b18faea13d9be359584d3eaa14d2768619f402006f0826a29f278d9b7a45e
SSDEEP

1536:ImWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtL49/u1D:1WtH/3ZAtWDDILJLovbicqOq3o+nL49E

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp2F98.tmp.exe

pid process

2372 tmp2F98.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe

pid process

560 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
560 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2372	tmp2F98.tmp.exe

pid	process
560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp2F98.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp2F98.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exevbc.execvtres.exetmp2F98.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2F98.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exetmp2F98.tmp.exe

description pid process

Token: SeDebugPrivilege 560 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Token: SeDebugPrivilege 2372 tmp2F98.tmp.exe

description	pid	process
Token: SeDebugPrivilege	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Token: SeDebugPrivilege	2372	tmp2F98.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exevbc.exe

description	pid	process	target process
PID 560 wrote to memory of 2468	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	vbc.exe
PID 560 wrote to memory of 2468	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	vbc.exe
PID 560 wrote to memory of 2468	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	vbc.exe
PID 560 wrote to memory of 2468	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	vbc.exe
PID 2468 wrote to memory of 2848	2468	vbc.exe	cvtres.exe
PID 2468 wrote to memory of 2848	2468	vbc.exe	cvtres.exe
PID 2468 wrote to memory of 2848	2468	vbc.exe	cvtres.exe
PID 2468 wrote to memory of 2848	2468	vbc.exe	cvtres.exe
PID 560 wrote to memory of 2372	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	tmp2F98.tmp.exe
PID 560 wrote to memory of 2372	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	tmp2F98.tmp.exe
PID 560 wrote to memory of 2372	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	tmp2F98.tmp.exe
PID 560 wrote to memory of 2372	560	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	tmp2F98.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
"C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdysrknf.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3370.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc336F.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2848

C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3370.tmp
Filesize
1KB

MD5
ff132c4f4ca20c5fdcd6c26702f6a884

SHA1
02bb219e757a8e2c51485d7735e6e414e84e0cc0

SHA256
8388e0f7b089360cd285e11975f8f4fa6241e43037f9ccfebd0cb573e42a0f4b

SHA512
67b4ee6bd13c0dcaea6bc458b4f31142b995ddf26bb57353300f523415f49fc2f1a036a80b153cb7b01af3db0610ae422bf3f5512d8e6598aacb2980282997e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdysrknf.0.vb
Filesize
15KB

MD5
6d52664d61a9a3c9fe10bb4d01d575ec

SHA1
27a8262e80e55c8b2317e658285369858eed6797

SHA256
a96f90258caf142e21b70ccfe36bc41099eb63bc314fc8885a5efe368c2b4309

SHA512
5a129fba5d612535ac085f24505536addcbcfcc1c659b702f8f3b20d50df4874fdd742ee38588d835528a55694c45fb6e6c77e068e0671c3f0f6f6481de035e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdysrknf.cmdline
Filesize
266B

MD5
d16fdbf48d43701e016840965f1df31c

SHA1
ec2825ae5ccc08de854adcd8bf5cd553f9244fad

SHA256
6cac0cafbd66696b8cd0e1cafa0aff88559c74c67dd6a5c376dc50a13177074c

SHA512
ded7bd7b9a61a902738b98b8bd30631e2c81eeb8cbc39c823b12033d0a281abfeb2a6d2071fc6e5d74988ec91262add412e541b4adfee19f8d3a23c1c246047e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe
Filesize
78KB

MD5
af9af37199c936713f45e362d8a45e39

SHA1
6984a2dba9872dded20089dddec66c06e25daca2

SHA256
1a46d21a2d180523cde40c209ed12f20a2ae1fefb2fa8cfcdb2688c332b569f7

SHA512
b981107e3e325fe9841ac3fb6dbebd8639bfe64a3d5c534d0ba626e23f28b78bfcc8e42968ec4b176336b885c7be6680ddbbe21800894791b61342e5a6bf0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc336F.tmp
Filesize
660B

MD5
5f34b9a1843666538a7d5cca37ec73b3

SHA1
037de3fa621fcdffa80319a1d38a6457f8cefc82

SHA256
684dfbd896552e7d7160b955e0752c86d52ec9003837f75575f3418706c0c2b0

SHA512
89ecade41191fe4b8c59f69d5a7b5142028a048eb8216f58a4c21634465f296cdf921eea6720ddd0901a568cf5a304f24e0bc3f1ac239ae139e971c55a3e4f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/560-0-0x00000000748B1000-0x00000000748B2000-memory.dmp

Filesize
4KB

Download
memory/560-1-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/560-2-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/560-24-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-8-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-18-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads