metamorpherrat | da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c

General

Target

875aa8aeeb28f3646c22208934098420N.exe
Size

78KB
MD5

875aa8aeeb28f3646c22208934098420
SHA1

7d8851d051042a454e26c1f31e540b21b8fc250c
SHA256

da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c
SHA512

a577e9215c42f166e0c441792825412d9586d4edc7c3392c18942a108c40251ae77f4650e7444a031f64a620f3cd4a33014ca408a697db163481a8420e5f0e9a
SSDEEP

1536:xBWV5jSuAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6o9/I1Td:rWV5jSuAtWDDILJLovbicqOq3o+nA9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

875aa8aeeb28f3646c22208934098420N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	875aa8aeeb28f3646c22208934098420N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp9F4D.tmp.exe

pid process

3996 tmp9F4D.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3996	tmp9F4D.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9F4D.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9F4D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

875aa8aeeb28f3646c22208934098420N.exevbc.execvtres.exetmp9F4D.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	875aa8aeeb28f3646c22208934098420N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F4D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

875aa8aeeb28f3646c22208934098420N.exetmp9F4D.tmp.exe

description pid process

Token: SeDebugPrivilege 4632 875aa8aeeb28f3646c22208934098420N.exe
Token: SeDebugPrivilege 3996 tmp9F4D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4632	875aa8aeeb28f3646c22208934098420N.exe
Token: SeDebugPrivilege	3996	tmp9F4D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

875aa8aeeb28f3646c22208934098420N.exevbc.exe

description	pid	process	target process
PID 4632 wrote to memory of 2456	4632	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 4632 wrote to memory of 2456	4632	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 4632 wrote to memory of 2456	4632	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2456 wrote to memory of 2228	2456	vbc.exe	cvtres.exe
PID 2456 wrote to memory of 2228	2456	vbc.exe	cvtres.exe
PID 2456 wrote to memory of 2228	2456	vbc.exe	cvtres.exe
PID 4632 wrote to memory of 3996	4632	875aa8aeeb28f3646c22208934098420N.exe	tmp9F4D.tmp.exe
PID 4632 wrote to memory of 3996	4632	875aa8aeeb28f3646c22208934098420N.exe	tmp9F4D.tmp.exe
PID 4632 wrote to memory of 3996	4632	875aa8aeeb28f3646c22208934098420N.exe	tmp9F4D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe
"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uobhuyvl.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc251E96B36A474761B81AEA78C4A734A.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:2228

C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp
Filesize
1KB

MD5
174c94e34bf0041b7f2a5ab532078791

SHA1
22e3946748ed58461ab9407c0b91aaab8e1bc0d6

SHA256
316e25f054188b167af7876102edab82a6fc8824f5c2ba830382ec4cb8ac60b8

SHA512
2df292258413b17d5a8fa96e90cb3af0339038da9c328a08a46f038ca07449c38bc1fb80b80c72139bfcdd80a9fd483947c982bd25b6054b6a982fdb54018801

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe
Filesize
78KB

MD5
4e06db424331cd41293feed531d8e553

SHA1
a1daf139e034966324ac5999e0e8937af5c2e208

SHA256
b6d8ac59ccdfadf6e6bf7fccad47578799dccf69bb23ed66c6fffaf44ace50a6

SHA512
9940f81708ee6d54c5a5fcd21ebae29e166d106d62f407ec67a90bf2c7fe82c06b9817af98f8d96217f3f43d664ba14328dfc2ed815e6dcd40293888481d01c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uobhuyvl.0.vb
Filesize
14KB

MD5
7aefd80ae67a6654cfc81aec95b89bfd

SHA1
7905015f47aca81cd268fea2586ce8f6c9db3755

SHA256
ef7025caa044c483c7c034f0d3291486ab3f56417b670609b250e1b4b851939c

SHA512
46ee1d9c198d1aea07f760670ccd7e9767af1fef367e214aca93fe96a75a52f5b9cd1e8a9b64143720b6ded7b14f5f4b9487b91af989f942d40f6cb4d12be763

Download Submit
C:\Users\Admin\AppData\Local\Temp\uobhuyvl.cmdline
Filesize
266B

MD5
8b5eeb1cdf5b4cce747b7ee47d6f192a

SHA1
6940ae5e5f5c46cd2b7ac7fb4c1c02cc4d57e9ee

SHA256
068353ee77d78078b7a26448df7be1d6eaba1e8818e40a13bbfdcf8a5a926d8d

SHA512
f3d538c97c87aa48853ee66632063c79040722f94f08daaf30d0bc0ac076d03674bf42cd71c97a530ac81a8e52ae2de0e63ba4f8ba1e038066a6b4948cf98fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc251E96B36A474761B81AEA78C4A734A.TMP
Filesize
660B

MD5
eca07a75b2ef93d5e32a656d0f573db2

SHA1
ec22e3bcff4b85928f2d1b5cd2c05ef304a7170d

SHA256
d977b636abc1ec8c3a3fa19786ad0733e51e80222254bc4eda893953b594dd40

SHA512
fe980821fd68fe0833078da1478bffb7bc4af2e56c2204fb6a9101905eea3a7fdf9d44e7948af13b0804a035617fa39be3b1fd69c8904cace121d5060168cb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2456-18-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/2456-9-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-23-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-24-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-25-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-26-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3996-27-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4632-2-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4632-0-0x0000000074C62000-0x0000000074C63000-memory.dmp

Filesize
4KB

Download
memory/4632-1-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4632-22-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads