metamorpherrat | eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d

General

Target

3bbf562527e29091bb75e829c2992850N.exe
Size

78KB
MD5

3bbf562527e29091bb75e829c2992850
SHA1

c9533421ce13b9b8e167544b0862414502813a95
SHA256

eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d
SHA512

3d90b6094883356d8e6dda649bab6e553ce5b08cadd8316e390ee343b2e74732531af0e7b685707b7a839da5656f73d7bbf7326299e4d7f8018bce425aa480eb
SSDEEP

1536:5csHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt59/a1f5:asHYI3ZAtWDDILJLovbicqOq3o+n59/O

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3bbf562527e29091bb75e829c2992850N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	3bbf562527e29091bb75e829c2992850N.exe

Deletes itself 1 IoCs

Processes:

tmpAD09.tmp.exe

pid process

372 tmpAD09.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpAD09.tmp.exe

pid process

372 tmpAD09.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
372	tmpAD09.tmp.exe

pid	process
372	tmpAD09.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpAD09.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpAD09.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3bbf562527e29091bb75e829c2992850N.exevbc.execvtres.exetmpAD09.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bbf562527e29091bb75e829c2992850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAD09.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exetmpAD09.tmp.exe

description pid process

Token: SeDebugPrivilege 3632 3bbf562527e29091bb75e829c2992850N.exe
Token: SeDebugPrivilege 372 tmpAD09.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3632	3bbf562527e29091bb75e829c2992850N.exe
Token: SeDebugPrivilege	372	tmpAD09.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exevbc.exe

description	pid	process	target process
PID 3632 wrote to memory of 4756	3632	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 3632 wrote to memory of 4756	3632	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 3632 wrote to memory of 4756	3632	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 4756 wrote to memory of 3596	4756	vbc.exe	cvtres.exe
PID 4756 wrote to memory of 3596	4756	vbc.exe	cvtres.exe
PID 4756 wrote to memory of 3596	4756	vbc.exe	cvtres.exe
PID 3632 wrote to memory of 372	3632	3bbf562527e29091bb75e829c2992850N.exe	tmpAD09.tmp.exe
PID 3632 wrote to memory of 372	3632	3bbf562527e29091bb75e829c2992850N.exe	tmpAD09.tmp.exe
PID 3632 wrote to memory of 372	3632	3bbf562527e29091bb75e829c2992850N.exe	tmpAD09.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe
"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3u1asdgi.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF1C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA75238102A745638DA8ED9211F0BCA4.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:3596

C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3u1asdgi.0.vb
Filesize
15KB

MD5
e70c97278d3529288bfc58dd11b84228

SHA1
6e1f992c13ae581f2651a05aceeacde6e491493f

SHA256
3b4298c437dfd66e977a6a08bc9ba5075e1cc44e0b204da88cd04e1110668a60

SHA512
f6deeb8c2a33b40449a350e8d63182161d25835f402517f2f002c43a45b504c9258d0b6b57d1ab7f8a6bd9b850aa369715e90d7e6d3862e5e9b9d38447152758

Download Submit
C:\Users\Admin\AppData\Local\Temp\3u1asdgi.cmdline
Filesize
266B

MD5
c043e47a7b63d87293f3280b79820768

SHA1
bbb78b85e4047c6704b85693bfd3817041aac605

SHA256
37c2f78b6ebd6838b6eb71c32f89454a14c3270a965296c5e6b71655dd7c3f4b

SHA512
ea364990d74784b22db1dba4fb697dbda2ddff2cb97cb4fe27bf8d4934016caac837a6c10320bb81994c08120cb3f982a46c8ed03c354c017ee340d97503e176

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF1C.tmp
Filesize
1KB

MD5
0ec104bd7646a142629759eb56369e27

SHA1
35897aa8b823a81ccd42b1636f0b0fd7a4d6a909

SHA256
bac5470f81a8afa44647c9f2109fc6e8388bd4f823fa13a06693886c962116ca

SHA512
d9bff87255da49adc19ee1f4809b5e09e8abea34a0981a878d735eefadf122824524e90c331ef63ca6a1ca14f8177a6ae187cec9fffbf75fe8628e23f6f96829

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe
Filesize
78KB

MD5
3a5fda60103a1ffc50d3024efb45a85e

SHA1
8f7db6a728efb711eee96876cdda5f70e7f45676

SHA256
4fce9b8dcfd6e8129b38819ea21642db7bdff088dd9db9d6035d4297802e4d85

SHA512
763e9291166611d216b66d4ea7df7256b174b46b47db54adcadbf47976f14c4499f06e6b367924a8092a71fb7cab35d4d3fa08e4a4820e92ed42ccc72340cae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA75238102A745638DA8ED9211F0BCA4.TMP
Filesize
660B

MD5
b2f595763357c2a35f6b54e86a71a435

SHA1
1a6b4a6b1ba061cfdc6b3e15b6f0012b13c930d4

SHA256
443fc11021a172a4d5a94d9b8a1f094e5082502f2fd4e1da120a10fa05b25aac

SHA512
b5f5614ea5fab402636b0975bdc887f497f4a664d51ee3d804abd50682df6baec4f6010bae65ed283a875333aeb03d03ed4f00a0c97910f9948838a407198d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/372-23-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/372-27-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/372-26-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/372-25-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/372-24-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/3632-22-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/3632-2-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/3632-0-0x0000000074942000-0x0000000074943000-memory.dmp

Filesize
4KB

Download
memory/3632-1-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-18-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-9-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads