metamorpherrat | c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8

General

Target

c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
Size

78KB
MD5

9d797a1044fe51eac1ef33b2ff4fc011
SHA1

8b83c7bfdcd4b7ab6bcf9bf7851b35dee476e68d
SHA256

c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8
SHA512

008a3c5425b53001455255bf0cfd420e7eda02441f1d5be022980cfc3a20831a4b349b02389a6ab1e683a3efb238cff4ddc17b2dc89973565b8d7f1df8d8a784
SSDEEP

1536:vhHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtW9/a1FaF:5HYI3ZAtWDDILJLovbicqOq3o+nW9/xF

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe

Executes dropped EXE 1 IoCs

pid	Process
212	tmpC331.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpC331.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC331.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
Token: SeDebugPrivilege	212	tmpC331.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 3932	3424	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe	86
PID 3424 wrote to memory of 3932	3424	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe	86
PID 3424 wrote to memory of 3932	3424	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe	86
PID 3932 wrote to memory of 4528	3932	vbc.exe	88
PID 3932 wrote to memory of 4528	3932	vbc.exe	88
PID 3932 wrote to memory of 4528	3932	vbc.exe	88
PID 3424 wrote to memory of 212	3424	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe	92
PID 3424 wrote to memory of 212	3424	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe	92
PID 3424 wrote to memory of 212	3424	c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe	92

C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
"C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6x8pwur2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC563.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D187814BC44BB9B07773660AD130.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4528
- C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6x8pwur2.0.vb

Filesize
15KB

MD5
d558b3e6bdaaf03ba432224c64ef5b01

SHA1
6f1a8efc504f5519eb48c45c053e484b0912221d

SHA256
9ea663ba1a68b6137cc60932886b7f7ff1c3b4830b8e2609647a54517f4440c1

SHA512
6fd2be0347ed288a8f062342073644cb8d81e787ba122acc1619a05329d00adab47cca6c487642fd302f92b00d10723ffc609a6de0978c815eedf1b4b1413d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x8pwur2.cmdline

Filesize
266B

MD5
50ad980528be442529f34753eaf960e3

SHA1
0111e72a560475e85afad57e95bd9807703ca822

SHA256
ef2f767881883ff1da6fe0ca52b0b6df3643f62475ff0bc9b2876ecd160e017a

SHA512
ff10c5c1ba55543d2873d03ed016f1e9b0400dd87e5c1cf799e55f03638aa7a0a735fc62464f07d16293815fc29edf0a9adaf2898276dfb36c088bf437a14ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC563.tmp

Filesize
1KB

MD5
ba0dfa7922abdd4a809704bcc6b38953

SHA1
8606b20d8e6efa1cbd50b45e441c4fb75f4ad151

SHA256
93f4c475dc0227bb2bd6bd24827ea1da66ac1511ae96dcb883f5bb621b5189ec

SHA512
3a1847c6362f9b91ee4dc19ae293f1ff9c3f0b1fdb5d3ec5c88dfaf5a684950e6e8d5dfc32461d571af842885bae919b0200419ce3db255037ea2843ee82ca01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe

Filesize
78KB

MD5
ad2331d153d49a8328bfa69e6095bf9b

SHA1
82008a2f983b095df6794354261b7e916f51d64f

SHA256
9d3ff976dd7cec7b5784ccc43fb7176ddb46555ccb181976dad206793e1c7dfd

SHA512
00d59876bd46915782924a20ee77e86fe6802bfa283702bfa1c25c141c806b717a294dced7b87cec3f0e91795a17f44cb16d3c9e155927d6cf4aeedd4e12cb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D187814BC44BB9B07773660AD130.TMP

Filesize
660B

MD5
c3b3c2e0048976aba40eac6271f08153

SHA1
870553c91500345124db58e7a4f3a6b7a1241791

SHA256
7be3a44c374b6397882283c551ed296f6a3e99aa8db79852a3354e92a743ac45

SHA512
494737a96d074383c723411b4327f360b793cb6dcac9461f359f2f6d04f9f4eb561687caf8f64ddd933986591eb8d422ebc1411feeb25e83a21bf08ab7f9158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/212-23-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/212-24-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/212-25-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/212-26-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/212-27-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3424-2-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3424-1-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3424-22-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3424-0-0x0000000074C52000-0x0000000074C53000-memory.dmp

Filesize
4KB

Download
memory/3932-8-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3932-18-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads