metamorpherrat | ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8

General

Target

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
Size

78KB
MD5

426b7f53123e33ecf63f7aa20efc3a06
SHA1

aab0f067e2d272bf4944bee7d7fcfc74e4409a74
SHA256

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8
SHA512

8ca677a8f3efec0dac4603a8b189fe81b98e71d57e3db2d77d12bcebaf13992059430a00c338c5e343a5ef970b9bc95164cceb912cdab18eb36cc8cb8cb97c76
SSDEEP

1536:7XPy5jS7AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti659/Mv13Y:7Py5jS7AtWDDILJLovbicqOq3o+nR9/D

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe

Executes dropped EXE 1 IoCs

Processes:

tmpAB24.tmp.exe

pid process

652 tmpAB24.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
652	tmpAB24.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpAB24.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpAB24.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exevbc.execvtres.exetmpAB24.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB24.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exetmpAB24.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4504	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
Token: SeDebugPrivilege	652	tmpAB24.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exevbc.exe

description	pid	process	target process
PID 4504 wrote to memory of 720	4504	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	vbc.exe
PID 4504 wrote to memory of 720	4504	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	vbc.exe
PID 4504 wrote to memory of 720	4504	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	vbc.exe
PID 720 wrote to memory of 2336	720	vbc.exe	cvtres.exe
PID 720 wrote to memory of 2336	720	vbc.exe	cvtres.exe
PID 720 wrote to memory of 2336	720	vbc.exe	cvtres.exe
PID 4504 wrote to memory of 652	4504	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	tmpAB24.tmp.exe
PID 4504 wrote to memory of 652	4504	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	tmpAB24.tmp.exe
PID 4504 wrote to memory of 652	4504	ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe	tmpAB24.tmp.exe

C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
"C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\74noocda.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53A2E08DE544998AB58A82FE8F2D02D.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:2336

C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74noocda.0.vb
Filesize
14KB

MD5
66136ab15f34fcbf9ca13bcc1bf8bef8

SHA1
ae42312273339095d6ad8bf3c44d02e14226d685

SHA256
f82c54a01c0a29eba27af1f3eec6aad8c6b80076516e4c31f6e998bd8b66c31b

SHA512
4532c5b81d4e0b10596499c70c910fcc8e0e1744d02d4d549fb56f68b3633f181c1b8a38942106c961b0e8219d76da2fb73087857238b94c4461d5ade9002ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\74noocda.cmdline
Filesize
266B

MD5
ded79a9f9388551faec8d321742566c0

SHA1
96b82ec164eebdbaf4684a406b860ebfa589f4db

SHA256
d4c33f6dacc609c6ea8698e800efe0573750f3a5e4cc98067fd2b1953a005610

SHA512
a29b81a26228226d809805dea4535c622129f94c253c0f127effba88b6b0150f33b92dde801648d3cc3f0500834affe7fc8b8fc9a94bb16b283937679c13b821

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC4D.tmp
Filesize
1KB

MD5
d715f7f1d22d8078648f477fb6685734

SHA1
3109993df4ad6b82f14d92324e8597003c35c939

SHA256
19418a34a3334431dd6adc9384330614d1923a610268096f63d7fbf0edb8b406

SHA512
cd92fd502e32fbde17ffa69e1af8bb017b56b1e54cd7cf45ff487e926e1e953cb405d75d828ff514184d738af1cf6ace130335a8bccae704b12539c9554f6785

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe
Filesize
78KB

MD5
08d875ef03048d7d70bd00b05e290e10

SHA1
bfa16dbe2154710c4881c191abf54ad177518ad0

SHA256
0fdd68ba46a102f4e35b1d30796222092ac6bc721270d43e2414bee90430e4e7

SHA512
e5b39101e8a5abd513aad0265dbe7a8be10f311045e71895dc6f5ae7ffe4eb4cec4e8a758bf8240f39b6a9614c65844165e501dee065252d6a5ddf6c8042635d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc53A2E08DE544998AB58A82FE8F2D02D.TMP
Filesize
660B

MD5
ddb7089e247f88db00a3c28e8da0405f

SHA1
5218167cbf2042e17292199befadca54d6964a44

SHA256
535b2dd68204128bb9933baed8e5dd5faca833ff695d3e32917921086c8244ae

SHA512
c7992b0a99902413caaa1fe31a2a51c10d0cad04819ef92e8e6afaa6af4957c88a8ff05c72bf6d72e38d2821338fc909e47cc861118543ea72b271479db00abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/652-22-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/652-27-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/652-26-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/652-25-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/652-24-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/720-9-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/720-18-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/4504-23-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/4504-0-0x0000000074C92000-0x0000000074C93000-memory.dmp

Filesize
4KB

Download
memory/4504-2-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/4504-1-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads