metamorpherrat | 35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3

General

Target

35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
Size

78KB
MD5

b4451d1342868b3df5aa828f123109c1
SHA1

8cdcdd3473d011d03cd92705bdc1f22ca953bd97
SHA256

35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3
SHA512

c7aaa0a5c7f1be006431b2e0dccf0da9c5db6bdcf34b732b95c96d9b202fba4f9310dafcbf1513502500596b522c7f897ddf6ad447634be22c69c03267dd63bd
SSDEEP

1536:xu5jSxAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6n9/Xe1o+:45jSxAtWDDILJLovbicqOq3o+nv9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe

Deletes itself 1 IoCs

pid	Process
4536	tmp5EC9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4536	tmp5EC9.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp5EC9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5EC9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
Token: SeDebugPrivilege	4536	tmp5EC9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4568	4376	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	86
PID 4376 wrote to memory of 4568	4376	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	86
PID 4376 wrote to memory of 4568	4376	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	86
PID 4568 wrote to memory of 5008	4568	vbc.exe	88
PID 4568 wrote to memory of 5008	4568	vbc.exe	88
PID 4568 wrote to memory of 5008	4568	vbc.exe	88
PID 4376 wrote to memory of 4536	4376	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	90
PID 4376 wrote to memory of 4536	4376	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	90
PID 4376 wrote to memory of 4536	4376	35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe	90

C:\Users\Admin\AppData\Local\Temp\35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
"C:\Users\Admin\AppData\Local\Temp\35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\th5ifjw7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES609E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE07B16F827049FD9C5C1185986918F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5008
- C:\Users\Admin\AppData\Local\Temp\tmp5EC9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5EC9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\35adc75c8fbbbc4377db7053ce205309db0bd65e78b94483f7fed34c647ca6b3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES609E.tmp

Filesize
1KB

MD5
5f955da236113ea2361f77ebc99dac35

SHA1
4bab3b2455ef0adde5e6cb43a60455f7b56ad30a

SHA256
d634a8cd37f4573fe14e51d77686572c12cb0580c86d864ea2f7bb6e74cc4d75

SHA512
b61ef31590d0bfa0d3196caf8c5887e081b8b9b6544dd565c0d3385404b16d9743b32cea61cc39047148559caa1c15018c69c3bb681f127605f421049e821280

Download Submit
C:\Users\Admin\AppData\Local\Temp\th5ifjw7.0.vb

Filesize
14KB

MD5
da1f4988140541c52f57333a2da1649c

SHA1
e62565450eab1fb36dd3fd397ff2d5db7aff419a

SHA256
61c015778a4df22c857ebbd9d7612cfb1e619e34b1494420842f3f4b3306c43c

SHA512
933dfbf06314cafc2dd1418eaac9fc735cbead197344e03e43842ed339386f37d56d772ee5760e2d44cff3f32d82a9dfeb82b5cfdd4091e9afb2f63bc9fc5a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\th5ifjw7.cmdline

Filesize
266B

MD5
f90608b345c2bcddf5b50ec25a29426c

SHA1
5d2752dfd971a9980a842658e914fdb1b0c7a003

SHA256
c32064650f53fdbe3e19a4772d2fc15e2ba71c1ca8e2c4a5866c87b0d924ccb9

SHA512
5c475c18c5cbbbe69a280990578fd04f228d728f169008bee808925d428d13a0ee35cc2aacf40b3f178558ee77800ef6345619ef97636ac652f6001d5011579b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EC9.tmp.exe

Filesize
78KB

MD5
f0662dae817f6d9d966dd6bcc1117b54

SHA1
74de4449df4ac109effca70707e69c3b5bd00506

SHA256
cafe8e06dfff47347d9fb014afaae547afc15f5f0e4aa04e65acbc67e80b5edf

SHA512
0dce4fc6abf42e30771e0c53cd1ee264304ccbf456550bde8c92bcb35cee9e194a4759ab6c5c612cf0c4f49f0d28c660ec2827f2df41ab2b3bdf27ca9b2f6933

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE07B16F827049FD9C5C1185986918F.TMP

Filesize
660B

MD5
69546721750ead1aa8ede3a1c4add01a

SHA1
c6899a42cbadc856a31fb8978de8ad762cc57730

SHA256
d72782476d5cff1bb6458756a83675a0a85921c4cd573c61ca1a58eafc93220f

SHA512
9b3e6d3368ba515066593587011482d76d475b755c497e006f95367903007b8fcfc7b73eeaa023c8ff09aca994e978e3518447047237a0d08507632eff608f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/4376-22-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4376-2-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4376-0-0x0000000074762000-0x0000000074763000-memory.dmp

Filesize
4KB

Download
memory/4376-1-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4536-24-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4536-23-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4536-25-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4536-26-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4536-27-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4568-18-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download
memory/4568-9-0x0000000074760000-0x0000000074D11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads