metamorpherrat | eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d

General

Target

3bbf562527e29091bb75e829c2992850N.exe
Size

78KB
MD5

3bbf562527e29091bb75e829c2992850
SHA1

c9533421ce13b9b8e167544b0862414502813a95
SHA256

eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d
SHA512

3d90b6094883356d8e6dda649bab6e553ce5b08cadd8316e390ee343b2e74732531af0e7b685707b7a839da5656f73d7bbf7326299e4d7f8018bce425aa480eb
SSDEEP

1536:5csHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt59/a1f5:asHYI3ZAtWDDILJLovbicqOq3o+n59/O

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3bbf562527e29091bb75e829c2992850N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	3bbf562527e29091bb75e829c2992850N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp9982.tmp.exe

pid process

1536 tmp9982.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1536	tmp9982.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9982.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9982.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3bbf562527e29091bb75e829c2992850N.exevbc.execvtres.exetmp9982.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bbf562527e29091bb75e829c2992850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9982.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exetmp9982.tmp.exe

description pid process

Token: SeDebugPrivilege 1168 3bbf562527e29091bb75e829c2992850N.exe
Token: SeDebugPrivilege 1536 tmp9982.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1168	3bbf562527e29091bb75e829c2992850N.exe
Token: SeDebugPrivilege	1536	tmp9982.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exevbc.exe

description	pid	process	target process
PID 1168 wrote to memory of 3204	1168	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 1168 wrote to memory of 3204	1168	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 1168 wrote to memory of 3204	1168	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 3204 wrote to memory of 4920	3204	vbc.exe	cvtres.exe
PID 3204 wrote to memory of 4920	3204	vbc.exe	cvtres.exe
PID 3204 wrote to memory of 4920	3204	vbc.exe	cvtres.exe
PID 1168 wrote to memory of 1536	1168	3bbf562527e29091bb75e829c2992850N.exe	tmp9982.tmp.exe
PID 1168 wrote to memory of 1536	1168	3bbf562527e29091bb75e829c2992850N.exe	tmp9982.tmp.exe
PID 1168 wrote to memory of 1536	1168	3bbf562527e29091bb75e829c2992850N.exe	tmp9982.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe
"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\md6iqq6d.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9A17646829E4F88AA99C1E68C7142CB.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:4920

C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B08.tmp
Filesize
1KB

MD5
dade52e7ca5c285b909c9b13e36c6775

SHA1
08eca86b009965a33e3e2f70f639a60cbcd259c7

SHA256
3630e79c9fc61722d00899fe1bae6292f897b154864a6a785bff9ae52c6c979c

SHA512
03e643e64893572943e1730c00a29f6d041158ea4c29bb12f13ea51ebcbcb8dd9d45609cbdb901492971550503a8d617d4dc9e186404d50bcef5d8b894c9b8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\md6iqq6d.0.vb
Filesize
15KB

MD5
898858c0f81d4d8cbc2cd7eaeed24d30

SHA1
2bfd5c74d3845f269cf76846507f69a469e26040

SHA256
39f5b0f5f729cbbd63040ce59f724f2ac716f72a227e29044c71a11b0d586ca1

SHA512
cb54bcb39e8b6aa550e73da43b05b32f20ac0293d9f10df255e7759c851d2b83ddbf0c61f503b8c275b60cb1cc8955f94a7a78d4cc221817b75ba260ad45d613

Download Submit
C:\Users\Admin\AppData\Local\Temp\md6iqq6d.cmdline
Filesize
266B

MD5
9c042f8abdb62d719fdad8a79e517d61

SHA1
27b3b7edc39d2dd740f36c5e057ffeec30d0b412

SHA256
d4c2cc330394300258fdaa71fc03cf0793fdff0e72ff221b772e7ee1ab14538b

SHA512
6128181c297c32ab6ffd7058a913878dbab0de42f54b5a33e855e391a24c79998f53d5a6b00c3d73d138bb785e010efd093427f94c6dbeacdad84a1b22d4baec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe
Filesize
78KB

MD5
a8c0264a6496bbc3e2055c694df10ef9

SHA1
d890f306656b1e84dc67bee04c3f8255a7c83fae

SHA256
7f57d3c60eebd817045455d90569aa535e7bacac768d815eef74b5cf3da20d50

SHA512
a129a9c75f64a4053d2b047bd4609afa0ccc386db13fb56fd8741e2b079d81dae54c22ba72e522de9fb577507dabece595904174d29acd1a46fa96e7fba93c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB9A17646829E4F88AA99C1E68C7142CB.TMP
Filesize
660B

MD5
bad742d876619e7dcaf23d16f60265d5

SHA1
40c35d73d94c158b87bd97b330714479bda7c2f1

SHA256
bcfa48ac68438c33e6a3b717cbf134cdaad8dd81d2a85fac6eb559d09d73eb59

SHA512
f147572a333d851eb2987fca8c4ce478985179ff0223e9e8d18e05c710e86c60c5b46ad122c330552fa894c79b60c21fd38440c70489c0722d3e7e55203e4435

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1168-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1168-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1168-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1168-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/1536-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1536-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1536-25-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1536-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1536-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3204-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3204-9-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads