metamorpherrat | 5b041ea35bd306fba33f6927a9c00763fce1401a93c48631ac05c5a2c2aabd01

General

Target

34a7acb4ec783f265ba0e9ef18802660N.exe
Size

78KB
MD5

34a7acb4ec783f265ba0e9ef18802660
SHA1

7829296cc48c50e132fb11606fab14ee39a1d0e5
SHA256

5b041ea35bd306fba33f6927a9c00763fce1401a93c48631ac05c5a2c2aabd01
SHA512

ffcb950649d836e7bafe817ba926e922760050fbbb463215dad9697f2c276c3eff1d8d88824efce07abba3fe92a27b825187079953440ad23fd8073d2f5f21ba
SSDEEP

1536:ArjtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtPc99/zp:2jtH/3ZAtWDDILJLovbicqOq3o+nPc9F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2812	tmp91E3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	34a7acb4ec783f265ba0e9ef18802660N.exe
2800	34a7acb4ec783f265ba0e9ef18802660N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp91E3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34a7acb4ec783f265ba0e9ef18802660N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91E3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	34a7acb4ec783f265ba0e9ef18802660N.exe
Token: SeDebugPrivilege	2812	tmp91E3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2716	2800	34a7acb4ec783f265ba0e9ef18802660N.exe	30
PID 2800 wrote to memory of 2716	2800	34a7acb4ec783f265ba0e9ef18802660N.exe	30
PID 2800 wrote to memory of 2716	2800	34a7acb4ec783f265ba0e9ef18802660N.exe	30
PID 2800 wrote to memory of 2716	2800	34a7acb4ec783f265ba0e9ef18802660N.exe	30
PID 2716 wrote to memory of 2772	2716	vbc.exe	32
PID 2716 wrote to memory of 2772	2716	vbc.exe	32
PID 2716 wrote to memory of 2772	2716	vbc.exe	32
PID 2716 wrote to memory of 2772	2716	vbc.exe	32
PID 2800 wrote to memory of 2812	2800	34a7acb4ec783f265ba0e9ef18802660N.exe	33
PID 2800 wrote to memory of 2812	2800	34a7acb4ec783f265ba0e9ef18802660N.exe	33
PID 2800 wrote to memory of 2812	2800	34a7acb4ec783f265ba0e9ef18802660N.exe	33
PID 2800 wrote to memory of 2812	2800	34a7acb4ec783f265ba0e9ef18802660N.exe	33

C:\Users\Admin\AppData\Local\Temp\34a7acb4ec783f265ba0e9ef18802660N.exe
"C:\Users\Admin\AppData\Local\Temp\34a7acb4ec783f265ba0e9ef18802660N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ahoie6i.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93F6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\tmp91E3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp91E3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\34a7acb4ec783f265ba0e9ef18802660N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ahoie6i.0.vb

Filesize
15KB

MD5
9545144bd6951ec06122d4698da13aac

SHA1
316b26706abb12f5b2a150c30653df0340ca1b11

SHA256
1e6e2063177f896ddd65174cf3b1f1b56802514fdd1942a4105ebd2a4fc6d00a

SHA512
447508508b9f9f0faa948017d0b5a6a740954a8a5739d1551923be0453bc778357e01e7421bd495c087b9591bf980eccc522820dfca6e5fc620ca16f60bade96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ahoie6i.cmdline

Filesize
266B

MD5
8e5cec4bf0adf59d1f3518d004895c77

SHA1
27294bf26b47b2d5f595a5e324cc4d43fa9a96b0

SHA256
64a49b866f2893594eb7242f94650f233e751a6f7c474ea478db9614cdd9c49d

SHA512
b79b2952d6f643a52a5d926ceae35e4971d25181f6d87817f30ba66c5009c049b3aa7b8ec2b56aa533865055930b9a2b2c2bd4b4922977ee95e9cd6be8b0f320

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93F7.tmp

Filesize
1KB

MD5
485947bc70a5ea69645d6395cec0b875

SHA1
d7d557db108f8f986577c64b869dff6e3370b5b1

SHA256
f27a43f6301c34c45cc1cb2c16e407a83b130250c8fadcea4c8034b2593f19fb

SHA512
d289b59e07b9417bb7bb933498f9f79212b0a32f2fc7c7abdb779153b5cbdb85252d0d7c3be164c5c74dff65205948909112a4c5c9f7629c602bf4b9611b02d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91E3.tmp.exe

Filesize
78KB

MD5
f4cf6415ff7029c378d5d2a4f74c39e7

SHA1
6df0e1bfbb20a0d965ed05b14704462862df048e

SHA256
eeb52aa6eadd500f5e4981792f0ba400b0613cbb5a3a49597eadedf247b7a9b4

SHA512
3a9c280a5e78217d5f747ad090a0dac6c97eae279c4981c10879b7d3b80d08951c55544919a88b17c082ff28b0e21c6e0ebcb73bab56ad48970d9c2a7885bf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc93F6.tmp

Filesize
660B

MD5
0fb2fe4cb870aa4000c597e3e83bf345

SHA1
dbc6a4fcf6425a7e97b041f05c4bcf57845584db

SHA256
bca91a138527f460bdbb92da728dca50bdd8a11464005b6802b6c966a4e83ff2

SHA512
f24c636cc62dd85875b93941b5a83445e034aaf90a916015c231dc4374f34effa8825bcf3ea330792b4ca1cfd789f7788f706f6430859ace5b6cfc3d4cf11b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2716-8-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-18-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-0-0x0000000074AE1000-0x0000000074AE2000-memory.dmp

Filesize
4KB

Download
memory/2800-1-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-2-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-24-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads