metamorpherrat | 880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281

General

Target

880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe
Size

78KB
MD5

680e30ae058c79641e54499ed6505440
SHA1

407fb54325ea3fb7cdab1210c8d59c8f5dcdfae0
SHA256

880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281
SHA512

487d26528382f6ca19da9293ce02e13b46f6ba7b0e605aeae08b718bd4e5b9a3491cd3301d575bdd0ce51eb561236bf08d3a9f6e7e10a2871d995cebfa01cc42
SSDEEP

1536:xFHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt29/n1kb:bHFoI3ZAtWDDILJLovbicqOq3o+n29/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe

Deletes itself 1 IoCs

pid	Process
3032	tmp8CFE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	tmp8CFE.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8CFE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8CFE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe
Token: SeDebugPrivilege	3032	tmp8CFE.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4292	3004	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe	84
PID 3004 wrote to memory of 4292	3004	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe	84
PID 3004 wrote to memory of 4292	3004	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe	84
PID 4292 wrote to memory of 1696	4292	vbc.exe	86
PID 4292 wrote to memory of 1696	4292	vbc.exe	86
PID 4292 wrote to memory of 1696	4292	vbc.exe	86
PID 3004 wrote to memory of 3032	3004	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe	89
PID 3004 wrote to memory of 3032	3004	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe	89
PID 3004 wrote to memory of 3032	3004	880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe	89

C:\Users\Admin\AppData\Local\Temp\880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe
"C:\Users\Admin\AppData\Local\Temp\880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lrvgrhh1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40F0C5523CDF485A8A5042F72C87C74D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
- C:\Users\Admin\AppData\Local\Temp\tmp8CFE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8CFE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8F20.tmp

Filesize
1KB

MD5
60a011db4a93a8d5e5139cc6be88622e

SHA1
24bea6b36958f03b29ec7019f46a79b583212d6c

SHA256
5f3e38cd72118cc8cd7414f2e07cf40978dbfbb2fa4418d8ca9b29c960d1c713

SHA512
ef6f7635e8d8b77bcc1180144cceb8b0345d974fecc1e4a3bc8ca471841e224515f20b7ddfd1aca8f82faba5af8f56461e4388e5b3f3c57694418209a39461ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrvgrhh1.0.vb

Filesize
15KB

MD5
d184e7b6413676d0f45479fde1afb663

SHA1
5e882954f6eacbdcbb46763b64d3ee055f0f765b

SHA256
b8f1bb3d16f7eb33c6b717cc881c9ca51e93ba67ecdef9cbb876f60b6b2e1d07

SHA512
31bf80653cc028fec490cdf7eb16098c76c7a18b02a0acc9f967ad33394ecbc4d5d409572b7f5577dabe1f06d784a717355f4aff1c182c994b1c0dd713e937f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrvgrhh1.cmdline

Filesize
266B

MD5
c09229a1ad1d5d01c14a22950b08e120

SHA1
710f52992591775945730200afbcc3f820153606

SHA256
ce0b4e57406fb5d4a850ebb5b7b50626323061aa0a57949a5ffa42f6239f0a0f

SHA512
f6f3eeb83feef0fb1ec62457850ae1f0d839fe95e94dec9bb9495fb20f9a7fa5f2cf0f1a7dea35dbbdac7131084b9a958a7d1733dde819913cb87b0176c22184

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CFE.tmp.exe

Filesize
78KB

MD5
8a216af31111bd771a5a83a47c1997df

SHA1
a98eb327ef809d49d2d614030ab12bfbcac4d365

SHA256
a7d375a1d538f7044fe49074f7ba445bf70eb1bacfaf0939a1fe38c25bfb884d

SHA512
61be9ca0cb8714a1aa0409b0d0c60eab1887929608086093d10fc2a8a4d3f0605de13754b2f019b588dad6369cebe0e2faf831b36eef0c41f22fa4806211e731

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc40F0C5523CDF485A8A5042F72C87C74D.TMP

Filesize
660B

MD5
89f16a92a05a016bcf4e06b4020b853a

SHA1
0212730ed314bacde70d69972deedd5f173b43ae

SHA256
122fe9246f821e54caf2865fdaa12d957590c3c74006e8e54e5790bbd7b7835d

SHA512
82a2f4fcb7cf6b577081683bff5991417acb25ab6815f9df324ca865f74bbc64a6ffcb9285d31cc8809a23879f0cbba3ba5f7773dbb6b21196f78546b610eb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3004-0-0x0000000074C72000-0x0000000074C73000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/3004-2-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/3004-22-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/3032-25-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/3032-26-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/3032-23-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/3032-24-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4292-9-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4292-18-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads