metamorpherrat | 9491308a300ba9109bbcfeda7eb43523c6baa303aac29388a4e094389335f5d9

General

Target

d789b1da3f7db1631d15869a3276f1a0N.exe
Size

78KB
MD5

d789b1da3f7db1631d15869a3276f1a0
SHA1

db729847643ba46de490febb86c23562760fcf4a
SHA256

9491308a300ba9109bbcfeda7eb43523c6baa303aac29388a4e094389335f5d9
SHA512

903496b187f59e1a8f3ad526353290773d91b107ef81a53d059fd3dd5def08d3edabf4711d1833cf74b0779650f50fd01ed12b9f9bed50c11c8865b0fe2ff082
SSDEEP

1536:7ouHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMT9/elB:8uHYI3ZAtWDDILJLovbicqOq3o+nMT9c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	d789b1da3f7db1631d15869a3276f1a0N.exe

Deletes itself 1 IoCs

pid	Process
2440	tmp94DD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	tmp94DD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp94DD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp94DD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d789b1da3f7db1631d15869a3276f1a0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	d789b1da3f7db1631d15869a3276f1a0N.exe
Token: SeDebugPrivilege	2440	tmp94DD.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4156	3496	d789b1da3f7db1631d15869a3276f1a0N.exe	84
PID 3496 wrote to memory of 4156	3496	d789b1da3f7db1631d15869a3276f1a0N.exe	84
PID 3496 wrote to memory of 4156	3496	d789b1da3f7db1631d15869a3276f1a0N.exe	84
PID 4156 wrote to memory of 460	4156	vbc.exe	87
PID 4156 wrote to memory of 460	4156	vbc.exe	87
PID 4156 wrote to memory of 460	4156	vbc.exe	87
PID 3496 wrote to memory of 2440	3496	d789b1da3f7db1631d15869a3276f1a0N.exe	89
PID 3496 wrote to memory of 2440	3496	d789b1da3f7db1631d15869a3276f1a0N.exe	89
PID 3496 wrote to memory of 2440	3496	d789b1da3f7db1631d15869a3276f1a0N.exe	89

C:\Users\Admin\AppData\Local\Temp\d789b1da3f7db1631d15869a3276f1a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d789b1da3f7db1631d15869a3276f1a0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m88s5ngh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9635.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E70823D424E4817A1AB238723835E4D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
- C:\Users\Admin\AppData\Local\Temp\tmp94DD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp94DD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d789b1da3f7db1631d15869a3276f1a0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9635.tmp

Filesize
1KB

MD5
61e954b78983da5788d3d6976d9c72d4

SHA1
d2ad6dfd5d2da60a980cdd7f7c968b44683bc19b

SHA256
c15ee7a2b32ad0d77797312a17e3b9f3e74693408371ebad91e0c00b3adec972

SHA512
616777fc13a438e59f0b6b9cbfa333c128a4763283b158fc973da0d8b52b81e55a8af7d95533d0db4a516184e4c39dc88defdc2a0c5e90f64d0a2c24af212085

Download Submit
C:\Users\Admin\AppData\Local\Temp\m88s5ngh.0.vb

Filesize
15KB

MD5
72eb3a9118efd653a764437e1c58336f

SHA1
2769e4c2be0f0c5f51a86d144d21d3947f80eb15

SHA256
9fb81a1d920cda1acc52523990de6469afe6529060654b8e76f17c0a0ae54256

SHA512
82b5456e57744d462695918c3fd6d400da2a34db6369b57ef224df2402e09f67595a9a0760241fd26a7f0b5019294cac3fcab25758a4553b94f5ec1972d1edfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\m88s5ngh.cmdline

Filesize
266B

MD5
ffe34b93ee7af3cc80878f15255756be

SHA1
615f29a67540d32252b553b325c3da6d8891f5b7

SHA256
8d2d4445070bb0a46278e4867300ba50dc247843f71b0d69cc6d1797c6302afd

SHA512
5fc0c23ef0fafcb1e5c25b557d87a42cabaa2afa684e0d14df0a6a96f4ab748df2dfdf69e2dc8a3b29c208dbca8c1f882744b8e2ed2247b0c6b555ec6ce730a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94DD.tmp.exe

Filesize
78KB

MD5
ab17169e0d312ee81bf8bffcac6874e1

SHA1
2ede3d93859d7da7d1ca8508fb7424fdea22ae41

SHA256
51d950d5c848899351ea3523e1479427c0ce8baf6c5aaa84246c4337feef6638

SHA512
b688b836bbc5db4858e3ce418b04b2ab93b0021d55b40bd2797b9f63f42aa3e9ecd73ab3ce3c4acfa9ca347977d1f7aa8368a5931907542b4f739ad55a04ae84

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9E70823D424E4817A1AB238723835E4D.TMP

Filesize
660B

MD5
96348cc8ed93e08073643198b0c79cd4

SHA1
ff5ff85d2cf1b7a48c2dc6e60b8c541ad982333c

SHA256
28fd93763a09f9c2685791a986f9274ac21d429dd6ed93ad499b77a6e1c61f28

SHA512
76438fb383da177a868a6eb3ee58e71e347a007ffb368a9d9aa74fff1fd3b6f6dcb20d70beb9f6c04d51002436e70aa6ff8b04f6886746196464ba7b2f679318

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2440-23-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2440-24-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2440-25-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2440-26-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/2440-27-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3496-2-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3496-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

Filesize
4KB

Download
memory/3496-1-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/3496-22-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/4156-13-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/4156-18-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads