metamorpherrat | 35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3

General

Target

35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
Size

78KB
MD5

b4451d1342868b3df5aa828f123109c1
SHA1

8cdcdd3473d011d03cd92705bdc1f22ca953bd97
SHA256

35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3
SHA512

c7aaa0a5c7f1be006431b2e0dccf0da9c5db6bdcf34b732b95c96d9b202fba4f9310dafcbf1513502500596b522c7f897ddf6ad447634be22c69c03267dd63bd
SSDEEP

1536:xu5jSxAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6n9/Xe1o+:45jSxAtWDDILJLovbicqOq3o+nv9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2020	tmpFA46.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpFA46.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFA46.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
Token: SeDebugPrivilege	2020	tmpFA46.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1348	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	30
PID 3012 wrote to memory of 1348	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	30
PID 3012 wrote to memory of 1348	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	30
PID 3012 wrote to memory of 1348	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	30
PID 1348 wrote to memory of 2368	1348	vbc.exe	32
PID 1348 wrote to memory of 2368	1348	vbc.exe	32
PID 1348 wrote to memory of 2368	1348	vbc.exe	32
PID 1348 wrote to memory of 2368	1348	vbc.exe	32
PID 3012 wrote to memory of 2020	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	33
PID 3012 wrote to memory of 2020	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	33
PID 3012 wrote to memory of 2020	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	33
PID 3012 wrote to memory of 2020	3012	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	33

C:\Users\Admin\AppData\Local\Temp\35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
"C:\Users\Admin\AppData\Local\Temp\35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zda8jf9o.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB21.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- C:\Users\Admin\AppData\Local\Temp\tmpFA46.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFA46.tmp.exe" C:\Users\Admin\AppData\Local\Temp\35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFB22.tmp

Filesize
1KB

MD5
7f569cfefc8858baf761ba7d17faecc6

SHA1
f7a45c9bcd8e6ed8d37b6cbb0fbe1b910c4ecf01

SHA256
7342c01573fb6f550b75ef4a8da5a5afc4c6aa7484597dfd1dda7b61f925e5cd

SHA512
fbfadb8b5822235ca738bc47a0a98d11a22f7ca6fbe705116043b097eb0ed4595ef54f1f91529310d812315118003ec0bc7545088d3b36a4b444218b434626b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA46.tmp.exe

Filesize
78KB

MD5
65d5b9cd42424c40e0ec6c7a70a2019e

SHA1
41fcf540afa7faeec65bd945a221f67a5d0049e2

SHA256
fc3d47747c716549e6ccf31df732876ce9bbce4b9fe6ed26a0fb201354ddf611

SHA512
a02b96fc5ed3d2bf547776e9ebd34722e83d890449f7a6328068ce7692582bdcd0d4e567ac40443e5c8ef47a924c6b60b8caf24338c6bd16c4d31f950120f621

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB21.tmp

Filesize
660B

MD5
ce59143af1764a550355dec7740657c2

SHA1
519e38fa028b355875787ae3a1008b9fa2ccb83a

SHA256
a84f64e8897f3aa91cb5c44ada0951558f327e0d9f03fd7604a938f36344db21

SHA512
554bb2666ed8391a0dba3fb1b5f4a3d2849ede06a35666d39039135fe337039d62e146447663318e5ce3f4d34195421416eb14b316c24fe070412f14f097a503

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zda8jf9o.0.vb

Filesize
14KB

MD5
2fd7820f71092bc48db8889be9edf8b8

SHA1
3eb61721c307e06905c10067aa4b15d9079398d2

SHA256
dfb418994c22e435942e76d4542695771734e0843f6f8c52eb8473025868beb6

SHA512
3922613175fd0c03c15ec873a15e12819575c355001389b4f24c489908da35ced55856a3c9806792a5be6113e197e2434f29a89d32dd717a94cf32eba2a0d2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zda8jf9o.cmdline

Filesize
266B

MD5
b984bf669fc4ffaa40101e03e58ff377

SHA1
c10bd6c77e211bddcef2db19d08452d1ba178218

SHA256
9361cd0fdaf80d031f69cec8ebe5ab5983a57b85dde2201fecf0c00e3573bad7

SHA512
3e8a3ada63c3fcb53e40d2afb4b5e4af3aa7c8e0247317f37e43cc915f796c3e8e18fd23eff7d7bb53f5032af02e37ba23cad0bb9f124fd128c3dba2a2cdb3e1

Download Submit
memory/1348-8-0x0000000074BE0000-0x000000007518B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-18-0x0000000074BE0000-0x000000007518B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-0-0x0000000074BE1000-0x0000000074BE2000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x0000000074BE0000-0x000000007518B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-2-0x0000000074BE0000-0x000000007518B000-memory.dmp

Filesize
5.7MB

Download
memory/3012-24-0x0000000074BE0000-0x000000007518B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads