metamorpherrat | da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c

General

Target

875aa8aeeb28f3646c22208934098420N.exe
Size

78KB
MD5

875aa8aeeb28f3646c22208934098420
SHA1

7d8851d051042a454e26c1f31e540b21b8fc250c
SHA256

da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c
SHA512

a577e9215c42f166e0c441792825412d9586d4edc7c3392c18942a108c40251ae77f4650e7444a031f64a620f3cd4a33014ca408a697db163481a8420e5f0e9a
SSDEEP

1536:xBWV5jSuAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6o9/I1Td:rWV5jSuAtWDDILJLovbicqOq3o+nA9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmpC909.tmp.exe

pid process

2140 tmpC909.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

875aa8aeeb28f3646c22208934098420N.exe

pid process

2416 875aa8aeeb28f3646c22208934098420N.exe
2416 875aa8aeeb28f3646c22208934098420N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2140	tmpC909.tmp.exe

pid	process
2416	875aa8aeeb28f3646c22208934098420N.exe
2416	875aa8aeeb28f3646c22208934098420N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpC909.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpC909.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

875aa8aeeb28f3646c22208934098420N.exevbc.execvtres.exetmpC909.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	875aa8aeeb28f3646c22208934098420N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC909.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

875aa8aeeb28f3646c22208934098420N.exetmpC909.tmp.exe

description pid process

Token: SeDebugPrivilege 2416 875aa8aeeb28f3646c22208934098420N.exe
Token: SeDebugPrivilege 2140 tmpC909.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2416	875aa8aeeb28f3646c22208934098420N.exe
Token: SeDebugPrivilege	2140	tmpC909.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

875aa8aeeb28f3646c22208934098420N.exevbc.exe

description	pid	process	target process
PID 2416 wrote to memory of 2364	2416	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2416 wrote to memory of 2364	2416	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2416 wrote to memory of 2364	2416	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2416 wrote to memory of 2364	2416	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2364 wrote to memory of 2412	2364	vbc.exe	cvtres.exe
PID 2364 wrote to memory of 2412	2364	vbc.exe	cvtres.exe
PID 2364 wrote to memory of 2412	2364	vbc.exe	cvtres.exe
PID 2364 wrote to memory of 2412	2364	vbc.exe	cvtres.exe
PID 2416 wrote to memory of 2140	2416	875aa8aeeb28f3646c22208934098420N.exe	tmpC909.tmp.exe
PID 2416 wrote to memory of 2140	2416	875aa8aeeb28f3646c22208934098420N.exe	tmpC909.tmp.exe
PID 2416 wrote to memory of 2140	2416	875aa8aeeb28f3646c22208934098420N.exe	tmpC909.tmp.exe
PID 2416 wrote to memory of 2140	2416	875aa8aeeb28f3646c22208934098420N.exe	tmpC909.tmp.exe

C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe
"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbo7cyly.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA13.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2412

C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCA23.tmp
Filesize
1KB

MD5
ee9bb4fc99c4cceeb4e6c6d331385a14

SHA1
70a1f4737aaa1838be7c3911924ee65e2f4058a1

SHA256
b2d5d8aef1ccc2c7486282c1299d26d728b1a5ee9279af445d2f8f807018c52f

SHA512
cab6e24bbeecedc597902519ae5519454f3d14587ef480240a5ab528dfdb79e0b61f51a09af946b8a290f685e03adf878202f225f35160c67abd83b4706a82b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbo7cyly.0.vb
Filesize
14KB

MD5
bb71640497a5a797c9ed55ab810994bd

SHA1
a94be960969b74a197a3bcf40a6a5eba36326f4b

SHA256
9a3551f2ca9644b7e3b5f8c5a758ac7145db086bac9eeb1cfd99cb5a633f21dd

SHA512
97fd73cab96a2c1f34bbb090a3fc4a6bc6160ef6adc8ee3777737030321c06edae1d2156f408f4057e6bc41084430029c403e7a634617e633202710ba2e8658a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbo7cyly.cmdline
Filesize
266B

MD5
cf5e45ba445be123b119c98603a3f563

SHA1
005dc997106043f1a38cbf7ac7b9a1b0c67fee86

SHA256
def420c9a33c840cbaa248f6a384121f80bdd83eaf500cf01679e23082d78778

SHA512
c88817285ca1a0836ce219c5cb32f268b33c1a171a52540e3bf4546cb9264aab17247e4e164892f7d5bb7cd13c29a572354b2f2a4fedb9a59a7061655c6ca4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe
Filesize
78KB

MD5
f7b413dc85ee2dd14d2ea1c593d90ae6

SHA1
37a89a56b204dfe4c290dc7b4a311553dcfa31ec

SHA256
9c1ead7fd8754c561794345e89e50168cf5630dee933f84862351a176e224071

SHA512
a5d478d365ff1fbbc54bdda5dce0593ba83f936495b3a52643a53e77eb67c46074b8ad612e984277bfe3fccd8fd71eeaed9ba7f6715a1c203c18ed3c29a7b838

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCA13.tmp
Filesize
660B

MD5
f899797b0b089ee3b8fdbe4ce7fcf062

SHA1
1c268397419d8fbda02e1532a1ab19c2f9cbcbdf

SHA256
9d3aa4dbdbaa6adb4eecb7858e5a733458b8d3bab71e2f0d33b16a5170c21fe6

SHA512
7533426ee4f5b0ca90e5c7adef24a3347a946d02a9a5087ff6746888cd2817c889f5295e084b3f2a10fb677bd2b839463c3a01aff8bab4225acd44da6af9c4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2364-9-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-18-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-0-0x00000000744B1000-0x00000000744B2000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-2-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-23-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads