metamorpherrat | fbf293b952798dbf3c13ed9571533d70bc35f83af68d4e2647b7de183259228d

General

Target

70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
Size

78KB
MD5

dac24be555c602c80489941360a2810f
SHA1

e4e283e68ace2e3282a1eb87f9692a0c4020a3b9
SHA256

70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093
SHA512

3447c46f54c26c05cd8e3bd0b89a5ed1534430c2bf2466a8355e043abe01747c2bd21ff3eb0a449df29354ba87905848cd89e8e16fcc995a328a68a038282504
SSDEEP

1536:BcuHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLo9/E5:SuHFoI3ZAtWDDILJLovbicqOq3o+nLoO

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2156	tmpBB44.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpBB44.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB44.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
Token: SeDebugPrivilege	2156	tmpBB44.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2964	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	30
PID 2128 wrote to memory of 2964	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	30
PID 2128 wrote to memory of 2964	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	30
PID 2128 wrote to memory of 2964	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	30
PID 2964 wrote to memory of 2384	2964	vbc.exe	32
PID 2964 wrote to memory of 2384	2964	vbc.exe	32
PID 2964 wrote to memory of 2384	2964	vbc.exe	32
PID 2964 wrote to memory of 2384	2964	vbc.exe	32
PID 2128 wrote to memory of 2156	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	33
PID 2128 wrote to memory of 2156	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	33
PID 2128 wrote to memory of 2156	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	33
PID 2128 wrote to memory of 2156	2128	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	33

C:\Users\Admin\AppData\Local\Temp\70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
"C:\Users\Admin\AppData\Local\Temp\70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rnppjkdo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD66.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
- C:\Users\Admin\AppData\Local\Temp\tmpBB44.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBB44.tmp.exe" C:\Users\Admin\AppData\Local\Temp\70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBD67.tmp

Filesize
1KB

MD5
4f8d2bc90076b519f0095af4d117c947

SHA1
bfc6d38905fb8010f667fb0b75405aea37382994

SHA256
bbaefa84f24dc41f2132273327274609dd4e28ceb28a5c4b41827fedaf2eca45

SHA512
faf4922e3c7e888747a89677244fbfcca01611f86bd620adab460f726d1dd5950d5577685a5caacfe83bdf4e3cf85ee59bb1dd4fea9b5ac3b03b8b0668cf0fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnppjkdo.0.vb

Filesize
15KB

MD5
904da9e2008332dbcdfa12769394b263

SHA1
87f22c9823467e8e0aa5e20027a4a28907cbfd68

SHA256
60ff13493eed450b8d5844bc90fdadf5fd998766dfbf36a393e99c55454745c7

SHA512
a5b84fae059f2f543f523e991b7cfbb2919a12de2a72e82065aa8033a11364b0c2c4f084b6f4eda7437ec4818f298eb38b45f3ef30f9b02d59d612d31c9e861d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnppjkdo.cmdline

Filesize
266B

MD5
1cac8c3a5ed4bf5d07420b18cf94e5d6

SHA1
5fe05b43443bfdefacd0fb65e4331fc9e2492576

SHA256
1b897cc1ae3f5e438a4203a3297046d041e347568cae0cdb2e69c0092464ed14

SHA512
119edfd062c9887b7811a867bde0b429c7b2b24bd91f8379873e7a5566815694345625a56ffb4e30efbb9a49146e8b4695a5a5918a2d7aba3826c84cce02acff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB44.tmp.exe

Filesize
78KB

MD5
982992af42901a90ee0ebf5ca7445336

SHA1
f10f72ea976c4bb8b1288a8942a419cc4c7fec71

SHA256
94e4f52c72f7b0bebbb2b71f9bdb1196f1a363b8731d9eb988f1b9111fbe920d

SHA512
59ffb689f35a31c2d7631bc22776028c52566a2a060389805ae56d923061c4aeec958fe8952a2266785af4125c1e830cca87a18310a36a1f0d204e847a12dccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBD66.tmp

Filesize
660B

MD5
5d2968862a5f218ad0ce9332d15519e0

SHA1
6cadcb33f015ce2ae35e106de80167a571a9cedc

SHA256
155a049b724c3a17144317a6229f9c536a48e6cbf7dbb4ec082a0e9034660d99

SHA512
77507935b1889b997f92676e7ccc1d3e64e523a0780a8c54fcb52bb621cb50c9da6691d38b090ebdc7b1661cff8c9e64be40edc11cf2fda41c68148f83fac04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2128-0-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-4-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-24-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2964-8-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2964-18-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads