metamorpherrat | eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d

General

Target

3bbf562527e29091bb75e829c2992850N.exe
Size

78KB
MD5

3bbf562527e29091bb75e829c2992850
SHA1

c9533421ce13b9b8e167544b0862414502813a95
SHA256

eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d
SHA512

3d90b6094883356d8e6dda649bab6e553ce5b08cadd8316e390ee343b2e74732531af0e7b685707b7a839da5656f73d7bbf7326299e4d7f8018bce425aa480eb
SSDEEP

1536:5csHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt59/a1f5:asHYI3ZAtWDDILJLovbicqOq3o+n59/O

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp9869.tmp.exe

pid process

2696 tmp9869.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exe

pid process

1656 3bbf562527e29091bb75e829c2992850N.exe
1656 3bbf562527e29091bb75e829c2992850N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2696	tmp9869.tmp.exe

pid	process
1656	3bbf562527e29091bb75e829c2992850N.exe
1656	3bbf562527e29091bb75e829c2992850N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9869.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9869.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3bbf562527e29091bb75e829c2992850N.exevbc.execvtres.exetmp9869.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bbf562527e29091bb75e829c2992850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9869.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exetmp9869.tmp.exe

description pid process

Token: SeDebugPrivilege 1656 3bbf562527e29091bb75e829c2992850N.exe
Token: SeDebugPrivilege 2696 tmp9869.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1656	3bbf562527e29091bb75e829c2992850N.exe
Token: SeDebugPrivilege	2696	tmp9869.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exevbc.exe

description	pid	process	target process
PID 1656 wrote to memory of 1892	1656	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 1656 wrote to memory of 1892	1656	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 1656 wrote to memory of 1892	1656	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 1656 wrote to memory of 1892	1656	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 1892 wrote to memory of 2684	1892	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 2684	1892	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 2684	1892	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 2684	1892	vbc.exe	cvtres.exe
PID 1656 wrote to memory of 2696	1656	3bbf562527e29091bb75e829c2992850N.exe	tmp9869.tmp.exe
PID 1656 wrote to memory of 2696	1656	3bbf562527e29091bb75e829c2992850N.exe	tmp9869.tmp.exe
PID 1656 wrote to memory of 2696	1656	3bbf562527e29091bb75e829c2992850N.exe	tmp9869.tmp.exe
PID 1656 wrote to memory of 2696	1656	3bbf562527e29091bb75e829c2992850N.exe	tmp9869.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe
"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j1ucalmt.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9954.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9953.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2684

C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9954.tmp
Filesize
1KB

MD5
b9eb8478a36ba9218f6069cbc259f274

SHA1
55d1d860ee0b020aa7291fa6d400e6c586bf8f57

SHA256
36997beb6caa00e1e79b7e670811641b456a0e69aa79f10b345a52a1cd8dfc57

SHA512
f21d6b02f03315d486b7f8b4c25f82986ba25004c979372044b62925d956e7e54cdfa92077cb6ced6cb7f769b668646868fced71be1cd17f6d9b22888cc14a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\j1ucalmt.0.vb
Filesize
15KB

MD5
2bb83e8f525826591f481a304dd000c6

SHA1
07a9363a8f3f8ce8ed940d81a01fc28aac36a08c

SHA256
db163abe3a492f98c4fb2c0b9a44f51ed6a348c0519fc782affbf17a8ee2ae02

SHA512
ee3580de2fe66ec01895a25dae534cc449f6c342bae9a76046d2a25ad2ada4a9266ac1279bc4ce7029f138408f98334ca26617e4580f0cd00b46774f2c8e6b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\j1ucalmt.cmdline
Filesize
266B

MD5
06a238db4f9879189576c972f94b032b

SHA1
0ab9e6ae0da07f764252f9b70c8f1d6e7943b61d

SHA256
4bbc04b0b21b15a76ee04a0e679e05086ec35ecc23de01b5a5907d2727ed85f4

SHA512
d74275fe71d82abe47885212874aeaa0d9197e4edbbce9bb5a7fa5047f91716901f16fcab91bedeb41b0c2d2102b5af263a9b7b0ee9a65725fea187b2042b9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe
Filesize
78KB

MD5
252bfddb66909ca3a8d4ab6a00c5ce85

SHA1
632b2e48bd0573142c646f8dbd7ca3fc04b79c5a

SHA256
228356c505f8ea2e7ed1c078e4f0ed2e63a2cc1cded89aa32afc0716f8352c59

SHA512
7aa2f1ca5d430ce4385e7bd206df14db25c4f3c07002ee8b90344025edfa696aed76a723eb2f0fb27ff1f496dadc29e442108629faffbb82165e8344beb01c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9953.tmp
Filesize
660B

MD5
815ca81aba4be7934482d406d6b0054d

SHA1
d16210b7d726f815e29ed89705af58cebb5976f7

SHA256
d094f123a5558343f26bfb0e9df5b16dd10b399ebd1ea8bd42a19c6987a6b9c0

SHA512
8e21012d70305a2cdee907bc8b332ba07ed00baf050045e18e9dd1ce1e192e637b6a6c2e00b3acda720768c62e5cd11db18b3815938643ba0c097aae2ccc8fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1656-0-0x0000000074F31000-0x0000000074F32000-memory.dmp

Filesize
4KB

Download
memory/1656-1-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-2-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-24-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1892-8-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1892-18-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads