metamorpherrat | 9491308a300ba9109bbcfeda7eb43523c6baa303aac29388a4e094389335f5d9

General

Target

d789b1da3f7db1631d15869a3276f1a0N.exe
Size

78KB
MD5

d789b1da3f7db1631d15869a3276f1a0
SHA1

db729847643ba46de490febb86c23562760fcf4a
SHA256

9491308a300ba9109bbcfeda7eb43523c6baa303aac29388a4e094389335f5d9
SHA512

903496b187f59e1a8f3ad526353290773d91b107ef81a53d059fd3dd5def08d3edabf4711d1833cf74b0779650f50fd01ed12b9f9bed50c11c8865b0fe2ff082
SSDEEP

1536:7ouHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMT9/elB:8uHYI3ZAtWDDILJLovbicqOq3o+nMT9c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2560	tmp4B62.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2104	d789b1da3f7db1631d15869a3276f1a0N.exe
2104	d789b1da3f7db1631d15869a3276f1a0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp4B62.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4B62.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d789b1da3f7db1631d15869a3276f1a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	d789b1da3f7db1631d15869a3276f1a0N.exe
Token: SeDebugPrivilege	2560	tmp4B62.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2760	2104	d789b1da3f7db1631d15869a3276f1a0N.exe	30
PID 2104 wrote to memory of 2760	2104	d789b1da3f7db1631d15869a3276f1a0N.exe	30
PID 2104 wrote to memory of 2760	2104	d789b1da3f7db1631d15869a3276f1a0N.exe	30
PID 2104 wrote to memory of 2760	2104	d789b1da3f7db1631d15869a3276f1a0N.exe	30
PID 2760 wrote to memory of 2780	2760	vbc.exe	32
PID 2760 wrote to memory of 2780	2760	vbc.exe	32
PID 2760 wrote to memory of 2780	2760	vbc.exe	32
PID 2760 wrote to memory of 2780	2760	vbc.exe	32
PID 2104 wrote to memory of 2560	2104	d789b1da3f7db1631d15869a3276f1a0N.exe	33
PID 2104 wrote to memory of 2560	2104	d789b1da3f7db1631d15869a3276f1a0N.exe	33
PID 2104 wrote to memory of 2560	2104	d789b1da3f7db1631d15869a3276f1a0N.exe	33
PID 2104 wrote to memory of 2560	2104	d789b1da3f7db1631d15869a3276f1a0N.exe	33

C:\Users\Admin\AppData\Local\Temp\d789b1da3f7db1631d15869a3276f1a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d789b1da3f7db1631d15869a3276f1a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8a_mijhn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C0F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C0E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\tmp4B62.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4B62.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d789b1da3f7db1631d15869a3276f1a0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8a_mijhn.0.vb

Filesize
15KB

MD5
24804fe464f86a97ff1067bc3d18fdf9

SHA1
9e70ce9960429246492ad6a1fed4d4bf68077065

SHA256
96d23d3fb61db2853552b89d2854d43e2109b5f88ef592c206b4b9d3cbd55973

SHA512
5e73219e1eb459fae41697a884fe4d5f80b422fa93573899f5198fc726cdaa1947540ab95c51484015487cf7ff9632698e3f3a05ee63c96eac810e3d9f158c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a_mijhn.cmdline

Filesize
266B

MD5
9cbcc95b47bf48fbeb574c6613861f24

SHA1
3a5920707125afc430b6b9e66567ec09846447aa

SHA256
0ecbee96a0e84157088c85a823eadb85b869d8c5884bb38f3fc5843d0f04e1e6

SHA512
1cd2054ac9d2ebc129440bfa1932677749c2c241bba51889d9fb63b7c4ecb69b2eb538a240030365cdf317de8f88fe5e5e349150988fa04054015dae7036f868

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C0F.tmp

Filesize
1KB

MD5
5b2ed7c60d1c4b10f39d9b97e3c99010

SHA1
255296802e647e20353be41b73482e5401278273

SHA256
4478e0a84de37f1525fa441a32780417abea7ef93add63a9fa1e3ab43b5fe55e

SHA512
33a1504d5d5ca1fd0cfd0ad3a1dbdf440203ef631254b6a9651e9f95e8f298e8398b71d2585acdcbc8ab60572aa123a818710500d18fa1211e1b36f1622b4f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B62.tmp.exe

Filesize
78KB

MD5
7f72dfb1a12ec3183a3ff9dd97444940

SHA1
256477e63546dd9d00b67b43e0f113668e582248

SHA256
f4f933baa8c5c3b15fa11e0542dfe3a7806de7321bb3e847223589d72007ecaa

SHA512
03e83d52b57cf2d8f82e313176e519012645fcca86923e6415930dca97aa54de46ea48772c92935e24ce72501db56862ed5838ea39e55081de68327a01c31a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C0E.tmp

Filesize
660B

MD5
2716d5bbe1b00ee6f9a42d120a645bce

SHA1
2cab82e0a9df9816b334ab5a4020cfc333947e1f

SHA256
99652a932cd9d0ed5e5f63e833b3c77ad82f9dcc6409606dd96fb2700d415d46

SHA512
33f243e47e993f796798817ff4dee32837e37664463386c5ccf5202746884f26d5b1d266e9066770601ea4510e9f5af7f451ea857a58f47a93d5b09a06290e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2104-0-0x0000000074931000-0x0000000074932000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2104-2-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2104-24-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-8-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-18-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads