metamorpherrat | 7ca9971555c8c939a595b07ac16418d37bc963df38cade7c560b49a3e7a5777a

General

Target

437334228a7a76a863aa1326b4bec8d0N.exe
Size

78KB
MD5

437334228a7a76a863aa1326b4bec8d0
SHA1

e6f3c06a00a555ff7da209dadb28d94d521b9d5a
SHA256

7ca9971555c8c939a595b07ac16418d37bc963df38cade7c560b49a3e7a5777a
SHA512

4b951b3afc38621190d3d560f79545094f241c24f35b959217942b8bd5ff421d69850d316c8c8f0b5c7897f21eb6acc39eb0bd32506cf8c4f263ab804871883a
SSDEEP

1536:nXe5QAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6e9/x1DA:Xe5QAtWDDILJLovbicqOq3o+n29/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	437334228a7a76a863aa1326b4bec8d0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3544	tmp7C92.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7C92.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	437334228a7a76a863aa1326b4bec8d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7C92.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	437334228a7a76a863aa1326b4bec8d0N.exe
Token: SeDebugPrivilege	3544	tmp7C92.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4596	4008	437334228a7a76a863aa1326b4bec8d0N.exe	85
PID 4008 wrote to memory of 4596	4008	437334228a7a76a863aa1326b4bec8d0N.exe	85
PID 4008 wrote to memory of 4596	4008	437334228a7a76a863aa1326b4bec8d0N.exe	85
PID 4596 wrote to memory of 1448	4596	vbc.exe	88
PID 4596 wrote to memory of 1448	4596	vbc.exe	88
PID 4596 wrote to memory of 1448	4596	vbc.exe	88
PID 4008 wrote to memory of 3544	4008	437334228a7a76a863aa1326b4bec8d0N.exe	89
PID 4008 wrote to memory of 3544	4008	437334228a7a76a863aa1326b4bec8d0N.exe	89
PID 4008 wrote to memory of 3544	4008	437334228a7a76a863aa1326b4bec8d0N.exe	89

C:\Users\Admin\AppData\Local\Temp\437334228a7a76a863aa1326b4bec8d0N.exe
"C:\Users\Admin\AppData\Local\Temp\437334228a7a76a863aa1326b4bec8d0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqoedaqo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc23419209DAD74CCEB0CB55116A43E6B4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- C:\Users\Admin\AppData\Local\Temp\tmp7C92.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7C92.tmp.exe" C:\Users\Admin\AppData\Local\Temp\437334228a7a76a863aa1326b4bec8d0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7E29.tmp

Filesize
1KB

MD5
29efa8d7a81a805db66985a2c52df880

SHA1
066587016ec13ec8576b923ad75aa1f54a18f1f9

SHA256
bfac051cedd14679b015ef6da6fdab28adebbd47353c10e4777bc5ccebbd2190

SHA512
ec21744a48333d4adaf833bffd9de1b4980c6477e77ed28f9449545d4b1bed89c9cc90736698209eda8b78b66e6b00c290a0831e854e1aa4349ecea33ec7fc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqoedaqo.0.vb

Filesize
14KB

MD5
4051fc61a21b84820b3e47bdc5cc7629

SHA1
c92c2cec02f825c053e7a28f43ee5c6c02492d68

SHA256
df6603f587aac5e6edb4dcc672e4f51ce0b23ea26486ea1ebe0a5618a1e90f53

SHA512
fab58572d04aab76b585bc247ebb120c4e8733d7a29232401f5b0e3eb3743ed14b5de120a263fa4acec0d1ac9069ec5ab25446f0e7a36f6574ba7c21d3a74b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqoedaqo.cmdline

Filesize
266B

MD5
e56686b0951215bb1401767a2eada8c7

SHA1
3a03284cd7a52c1217bb16ec3530cc68f339e9bb

SHA256
8f107d4cfb85c5ce00433cc4a4f2b4e9b2226e754bb73fd3ba2f2d2d420e39e5

SHA512
a6ff943d93fe494df388f8380c006ee65bdf40c129ac67d3e86b39babac9d9bfc7204944790ed77b664aada69975f12253fe04cb0018ca991582a5c18328b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C92.tmp.exe

Filesize
78KB

MD5
4f3a16a92772c4066a2b91a841df8048

SHA1
86f1e10b0e52692733fc6f1b6776027db4e07a3c

SHA256
61866098d379e3a2d60cbd8049f3a969c427c004febf44bdd31b9723ceb72d64

SHA512
81f1bd6fbd09808ea31341a94b858a411b55d1c3286ab35d1d24b7b86a0faaaca0534282d2d89c790be2e8b52d364a899b2e6a42261761b4639b6ddb9583ade1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc23419209DAD74CCEB0CB55116A43E6B4.TMP

Filesize
660B

MD5
8a5816204cbc965ae15f87c4f146fd42

SHA1
7cb1b03fa856c91ef833c92b92ab2a5e30ae256e

SHA256
05cbc60b94253b73e22a29b39af3ff277ffd36d4234c9b9f5c00579b4184b46a

SHA512
0fd72e1b99bc2250c9496ab7693fd80ada0fc498b9417f08a16fb027e313ab772435d4b30fa87c08acba737be2dca2ca696a3fdb9cbc1a5798ced565b89fc603

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3544-23-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3544-25-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3544-24-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3544-26-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3544-27-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3544-28-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4008-2-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4008-1-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4008-22-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4008-0-0x0000000075352000-0x0000000075353000-memory.dmp

Filesize
4KB

Download
memory/4596-8-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4596-18-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads