metamorpherrat | ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8

General

Target

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
Size

78KB
MD5

426b7f53123e33ecf63f7aa20efc3a06
SHA1

aab0f067e2d272bf4944bee7d7fcfc74e4409a74
SHA256

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8
SHA512

8ca677a8f3efec0dac4603a8b189fe81b98e71d57e3db2d77d12bcebaf13992059430a00c338c5e343a5ef970b9bc95164cceb912cdab18eb36cc8cb8cb97c76
SSDEEP

1536:7XPy5jS7AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti659/Mv13Y:7Py5jS7AtWDDILJLovbicqOq3o+nR9/D

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpA1AC.tmp.exe

pid process

2460 tmpA1AC.tmp.exe

pid	process
2460	tmpA1AC.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe

pid	process
2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpA1AC.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpA1AC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exevbc.execvtres.exetmpA1AC.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA1AC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exetmpA1AC.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
Token: SeDebugPrivilege	2460	tmpA1AC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exevbc.exe

description	pid	process	target process
PID 2408 wrote to memory of 1500	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	vbc.exe
PID 2408 wrote to memory of 1500	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	vbc.exe
PID 2408 wrote to memory of 1500	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	vbc.exe
PID 2408 wrote to memory of 1500	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	vbc.exe
PID 1500 wrote to memory of 1956	1500	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 1956	1500	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 1956	1500	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 1956	1500	vbc.exe	cvtres.exe
PID 2408 wrote to memory of 2460	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	tmpA1AC.tmp.exe
PID 2408 wrote to memory of 2460	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	tmpA1AC.tmp.exe
PID 2408 wrote to memory of 2460	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	tmpA1AC.tmp.exe
PID 2408 wrote to memory of 2460	2408	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	tmpA1AC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
"C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qphbdlb1.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2A5.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:1956

C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA2A6.tmp
Filesize
1KB

MD5
836a3f1ff70f4413c8be3f2ad71f0377

SHA1
9f7122b465ca97c45abeb680de16bfff66dc1ddb

SHA256
367a6db4c4aa8fe947564a5576be6cc6abfa1d65e775817a5518b4332cddfa61

SHA512
ce018b6cf5724e70427b5c65bc93ce5e5e0ecf63257808d9cbe7ba4c16895dc259efc06a7461d5326aeff3af8a222acf9a288650f6b40c09893704e9fac41ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qphbdlb1.0.vb
Filesize
14KB

MD5
b00b51c8c9fd21be4e080c08d2bf4727

SHA1
486ac0eea8f1f3c6d89fce03e82d4773d5518992

SHA256
c5bd3917ebf1437c502b03812f9a75637c86e01cb527c7bf66513dd6fd76ee57

SHA512
bcd475e50fe01fde511d736aefdab3f0504f1f8719008dec702e430183f6bbb24eb5b47749bb28e65a6b857c05ebb050d3361c1d4d5e559a005dd88a1063af43

Download Submit
C:\Users\Admin\AppData\Local\Temp\qphbdlb1.cmdline
Filesize
266B

MD5
29e5b543125ddb19db4a803e050bc0ab

SHA1
0ef2d354ea267f49723601e3f32663cbb274c1c0

SHA256
e672d7b662af91056d19dfcea9df05423f9056009457679f5542ceb403558b1e

SHA512
74f277d24157f3db3170efdb13a77a73fa466417cbba4829fb5f17064c5e5bc67a62cb0e48e8824549b8e4de147b5e4159b66dc79a1e14e18dc983dfb5b21ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe
Filesize
78KB

MD5
ae5163ffc61e2bd492dbe5aeb9c3ffcd

SHA1
4c2cb9dadf55bad462e4ba680226d05029910b07

SHA256
8eafac4871f484e76fcd357d8e55fc51e9c6c4f5136b60d14585780b6839f740

SHA512
4e090206c9fc5701a0bed9e5aa9b016da030fad2cdacf2c8851ff3317005ae55db4624011bda79e60c462a52ac1dd83dc39d645b1866a03982a997501e34d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA2A5.tmp
Filesize
660B

MD5
654afd80e5e8f65175c20f89dc9f184e

SHA1
d596d363849fc28dc5ef25a31877de31035c84fc

SHA256
5f18382533170794aad22c5521001e7a7dbbe932c005cc2209f81f91658f7b35

SHA512
a6d8e1c51b7837313a0242de9de85d7c7be50090b888d670ed33775445728ce3af9ced094810adcbaf51e41b7a280841a7999b0bcb67b89c05342634ff9971e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1500-9-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1500-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-3-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads