metamorpherrat | 9b1ae0cd2dbbd1cd096f21c3ddc868a0fdb6f032e21303429af9471918f0ee1c

General

Target

231d3e12da335f163aef75c1f98db0c0N.exe
Size

78KB
MD5

231d3e12da335f163aef75c1f98db0c0
SHA1

9631e386ba23f408ed7ee7754bf82e8ac87cce65
SHA256

9b1ae0cd2dbbd1cd096f21c3ddc868a0fdb6f032e21303429af9471918f0ee1c
SHA512

254b75579c0732773079f901d625aa0d82db0ee750b29675e5678d9a76ec2ef9476874f232179c9678b333acde5f9169f6b933668766bd9f4d76eac7f453b55d
SSDEEP

1536:scsHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtn9/U1Ri:fsHYI3ZAtWDDILJLovbicqOq3o+nn9/5

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2888	tmp3F22.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	tmp3F22.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	231d3e12da335f163aef75c1f98db0c0N.exe
2408	231d3e12da335f163aef75c1f98db0c0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp3F22.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231d3e12da335f163aef75c1f98db0c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3F22.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	231d3e12da335f163aef75c1f98db0c0N.exe
Token: SeDebugPrivilege	2888	tmp3F22.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2788	2408	231d3e12da335f163aef75c1f98db0c0N.exe	30
PID 2408 wrote to memory of 2788	2408	231d3e12da335f163aef75c1f98db0c0N.exe	30
PID 2408 wrote to memory of 2788	2408	231d3e12da335f163aef75c1f98db0c0N.exe	30
PID 2408 wrote to memory of 2788	2408	231d3e12da335f163aef75c1f98db0c0N.exe	30
PID 2788 wrote to memory of 2712	2788	vbc.exe	32
PID 2788 wrote to memory of 2712	2788	vbc.exe	32
PID 2788 wrote to memory of 2712	2788	vbc.exe	32
PID 2788 wrote to memory of 2712	2788	vbc.exe	32
PID 2408 wrote to memory of 2888	2408	231d3e12da335f163aef75c1f98db0c0N.exe	33
PID 2408 wrote to memory of 2888	2408	231d3e12da335f163aef75c1f98db0c0N.exe	33
PID 2408 wrote to memory of 2888	2408	231d3e12da335f163aef75c1f98db0c0N.exe	33
PID 2408 wrote to memory of 2888	2408	231d3e12da335f163aef75c1f98db0c0N.exe	33

C:\Users\Admin\AppData\Local\Temp\231d3e12da335f163aef75c1f98db0c0N.exe
"C:\Users\Admin\AppData\Local\Temp\231d3e12da335f163aef75c1f98db0c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jtn3qm6c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES401D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc401C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Users\Admin\AppData\Local\Temp\tmp3F22.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3F22.tmp.exe" C:\Users\Admin\AppData\Local\Temp\231d3e12da335f163aef75c1f98db0c0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES401D.tmp

Filesize
1KB

MD5
722e7c59b1fef621a8767137fd802250

SHA1
00a8b37749b6fb0bc1be6fffda29f0e05809f188

SHA256
b915fd0bc2d2f7dcb9f1dd47084321378481c7b2890c99bf4491875418256c23

SHA512
6452459048041664d728de5e21e5c9cceafe5f3285f977fb25ba3c7f484a6fe7ba1fa53512bb52217a13058e80cc2347f86b96aa260ead6d2d524d4e42a2e1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtn3qm6c.0.vb

Filesize
15KB

MD5
3ddb393c08bdf75c25bf89e333430b7b

SHA1
14d9d5a189d2a5bd5913ca14d467b2dbb7e094e2

SHA256
0e6fb00f9447424ca7d5bb5bf88aacae9650ae7e2e195bf51b3d829c3bb9acb6

SHA512
1efd1587513adb8570c00f562a670c916a5909095e47b80f137db1bd719cf1a7c93d83a63f5cf957e73ac26e48851dadb917109ac81d690af48b7976ed2418bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtn3qm6c.cmdline

Filesize
266B

MD5
c4f3b0084d7fe1fc6d4ba485478224dd

SHA1
ed3c16784bdf6c41ebf5877fe2904de51387013b

SHA256
b2acf97e3040bb1bd5b6a65e2f529473747952a3cd0763f556cb275cbc199911

SHA512
e2a520d48a103da735bac819032c46c54175cd1b89d5aa6cebd20865a0ec995dcf270629ed4f4d0122dee83bffcf9bfa9b91a910d380d1eb0fbbf223dab22f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F22.tmp.exe

Filesize
78KB

MD5
caad0267073ba38321a17146b74fb1ac

SHA1
ef8249bb9a583b347a8ece35df25d9e15ac11f62

SHA256
c51111d776e067440dd7e530d820724651135c1eb9eefbe7ef7dc4fa21b69676

SHA512
de3664366df2952da53bb02f0181b2d01562aee2f17f7c84284632b34d7a95c9160ce86fd26fc66757319e61a539b51e65d36a5ed7b652b473e26b504977d30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc401C.tmp

Filesize
660B

MD5
c4d76dac960f4399e03b96ca707e83d4

SHA1
d51be44dcbca984c264324fe880b05ba44d8b712

SHA256
732b651d795329892ee34711914c3380e95ab70d16d093a6af85d58d7ff135e3

SHA512
419380ee855b219581feca37d2ed88418061da57ad9a8e9670bb0b83149dc8a01e4c2a28a95102b58da3ed90d4b292d677db197a2f1fc473afa9aafdb8c5db4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2408-0-0x0000000074B21000-0x0000000074B22000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-2-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2408-24-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2788-8-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2788-18-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads