metamorpherrat | da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c

General

Target

875aa8aeeb28f3646c22208934098420N.exe
Size

78KB
MD5

875aa8aeeb28f3646c22208934098420
SHA1

7d8851d051042a454e26c1f31e540b21b8fc250c
SHA256

da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c
SHA512

a577e9215c42f166e0c441792825412d9586d4edc7c3392c18942a108c40251ae77f4650e7444a031f64a620f3cd4a33014ca408a697db163481a8420e5f0e9a
SSDEEP

1536:xBWV5jSuAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6o9/I1Td:rWV5jSuAtWDDILJLovbicqOq3o+nA9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	875aa8aeeb28f3646c22208934098420N.exe

Executes dropped EXE 1 IoCs

pid	Process
5016	tmp74E2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp74E2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	875aa8aeeb28f3646c22208934098420N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp74E2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	875aa8aeeb28f3646c22208934098420N.exe
Token: SeDebugPrivilege	5016	tmp74E2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 3936	4176	875aa8aeeb28f3646c22208934098420N.exe	84
PID 4176 wrote to memory of 3936	4176	875aa8aeeb28f3646c22208934098420N.exe	84
PID 4176 wrote to memory of 3936	4176	875aa8aeeb28f3646c22208934098420N.exe	84
PID 3936 wrote to memory of 3444	3936	vbc.exe	87
PID 3936 wrote to memory of 3444	3936	vbc.exe	87
PID 3936 wrote to memory of 3444	3936	vbc.exe	87
PID 4176 wrote to memory of 5016	4176	875aa8aeeb28f3646c22208934098420N.exe	90
PID 4176 wrote to memory of 5016	4176	875aa8aeeb28f3646c22208934098420N.exe	90
PID 4176 wrote to memory of 5016	4176	875aa8aeeb28f3646c22208934098420N.exe	90

C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe
"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvtfyu2c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc278589D3FCAC4536B9294EF427B5E1D6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3444
- C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp

Filesize
1KB

MD5
60b53eaa9ab6e9f5e559d147b22a83d0

SHA1
4b8c1d08df6ae39884d023394fb92b81e02abcbc

SHA256
fca61d753773f9231559bc54a0ca55ada8249c83f908aa39038574baf43dad44

SHA512
eafc32d49d5142daefad1be7225948b66ea9fd44d9ede6c8bf5d6f639e3c169273301f9caf90b9944dcd8ca5d8e1b5deac4e6d6264007872c13af3930d3d2356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe

Filesize
78KB

MD5
aa74d6bb3a5f770da503272a5892ceab

SHA1
b4e3c32c43ce98f9945bd2ae5aecb6e7eaa721a9

SHA256
6a9dc2666fa896e83a7b82f4cb3347de2153010ec8bf65afcadfad47a1b1fd28

SHA512
c4e9e53814bf51cf1f483acc63c2485379f15358d6fbe4caab3a59b0f128837967b3be8bc9ff299569cfcc6b02de9fe53b2763e20648c152f9efc1030d63a7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvtfyu2c.0.vb

Filesize
14KB

MD5
097b841b1925b3042a43b8ed6f3a7000

SHA1
38e6d24167ceb0e2a18ad624d0e523e5ef991dca

SHA256
fe777f282201b2ecfd8f7efbf3356b95267e21483c4f8ff74c70a802fc1c1e64

SHA512
a2681eea72c36983d75c0b66dd141fc975f283b552d72cdf0eb029a22da7c8710db55dbb266b86fb4ac6a654246a75137d94d8731125e68486d297d55c93699c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvtfyu2c.cmdline

Filesize
266B

MD5
b6a01382255d5c4600cc591de163bb36

SHA1
02dabd39ac4a0bb78d2e710d72017c2bfa1dba8d

SHA256
cf4c8352e1a9ebd87a1d32bca124caeb55610c3c5f809c4b4e227c02a81cbdb5

SHA512
82ce9970053618a1a3dcf52e8658ef3a05de95a37bf6401c0273314c27428da6c5474f8bc3af5f56653fb796e0422f05b91407df510a4a189bde54c13e1baa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc278589D3FCAC4536B9294EF427B5E1D6.TMP

Filesize
660B

MD5
82a256b4ef652003d2f3a98b1a3d4196

SHA1
ea6aff96ddb53d8436e8a3367c6c4d6102a84256

SHA256
cc9b9be295634421d9d78389dbad5ae211b373276b42c6ecd78b032c311c3e50

SHA512
20d93b9578ee878df547f20727d5d8f623d11842ce27819f408afc37d00fd7d88f07e1a51c35e60d2deb04c0b171042b91422553c0626d7153d6f183f8d23710

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3936-18-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-9-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4176-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4176-2-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4176-0-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/4176-22-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-23-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-24-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-25-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-26-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/5016-27-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads