metamorpherrat | 585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c

General

Target

585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
Size

78KB
MD5

4ac5734609a61c9d9bd4be065b3f8686
SHA1

462ae637b528e8538c2926b01f7b368a98a9d40b
SHA256

585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c
SHA512

9acf8cf3871fbe9931cb575a7507822e380037e486140fd789d79373af6caf4628ec499e0785008669a84ae667d8774fae07ceccdd09a57e92c4b323cd3e5192
SSDEEP

1536:CVPWV53AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd679/fz1/0:YPWV53AtWDDILJLovbicqOq3o+nk9/f2

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe

Deletes itself 1 IoCs

pid	Process
5072	tmp80F7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5072	tmp80F7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp80F7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp80F7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
Token: SeDebugPrivilege	5072	tmp80F7.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1572	1392	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	84
PID 1392 wrote to memory of 1572	1392	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	84
PID 1392 wrote to memory of 1572	1392	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	84
PID 1572 wrote to memory of 3712	1572	vbc.exe	87
PID 1572 wrote to memory of 3712	1572	vbc.exe	87
PID 1572 wrote to memory of 3712	1572	vbc.exe	87
PID 1392 wrote to memory of 5072	1392	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	89
PID 1392 wrote to memory of 5072	1392	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	89
PID 1392 wrote to memory of 5072	1392	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	89

C:\Users\Admin\AppData\Local\Temp\585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
"C:\Users\Admin\AppData\Local\Temp\585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n4t4la03.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES826E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1859EB49920248B58393CA7E7A629560.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
- C:\Users\Admin\AppData\Local\Temp\tmp80F7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp80F7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES826E.tmp

Filesize
1KB

MD5
dfef4211aee7725d9047d483a20a33c6

SHA1
166c81f1ef84dd9fb053b2755d12ce37dbe67b07

SHA256
664a78da150c1eb748600c5f895aa776ed3b582900337ce90bf27333df219c16

SHA512
2a2c7e6edb94adbd6261df01e62a80bbe6c313c94cb4c24f8a9da92f524b30f2a7860a3391a9b8cf3aafcace6485d0f849c5f88fb0563887088cffa7cc2ac919

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4t4la03.0.vb

Filesize
14KB

MD5
84051d57c5de0ed224deeb712a43c5a9

SHA1
20aa3ec874b42c10bc0fa61bd08ae4cf083739f3

SHA256
12be5c38e3ba7e5660b4c3a8c27453226bd228abea3418934c037962cdc2dce5

SHA512
c4bab5e9ecf9b8b33dadae3f477bd071169e6c50591d4063f384f7d297514de49d621efe6fe8a9480486153da43c832aa9f4424eff35a98c1c345c2d835ba79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4t4la03.cmdline

Filesize
266B

MD5
6661e74fdf9221f9e51d1572bd62c86b

SHA1
e9c0852c7a02e08ccee297f8217a1d00404e2b5f

SHA256
292b5a77e02b7e02d4d0facb15d844b865e50d0d1446bf0acee898397077718b

SHA512
5ec767f582793fce49175af8dd8355f6f545efc943755781fd94eb463b8c2dcbf04454dcd5a9ae1981b34e41a45ffb44923399589170ea5bc727f109d04f31ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80F7.tmp.exe

Filesize
78KB

MD5
1e6781a39f47d331d1990b37d9484290

SHA1
1b4f321468d59b2d1e4f5b5de1984b72913004c5

SHA256
2d386b9bbedf8290c5e9507bd2943fa249ad506b455340cf28068086afdb5ea8

SHA512
5849bb25a25f856d8b3405506688c699af89a4b6a1e78e9fc94501c0e3d2caa526bf1f2ef826119cefc5fe14a719a463142dee6fa0ab87e09adf5c9b2da3805a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1859EB49920248B58393CA7E7A629560.TMP

Filesize
660B

MD5
88c378d2ea31f447ce88a0f61924f34c

SHA1
9463ab5eae5bf0691afff1dc6aa9422ed283279f

SHA256
da7c74852db8ea92856605535cf105b20f03548df40e8b8173cff24d94b133b0

SHA512
5c4ddf968ac7d539ee0c94a28250d0cd2db4ee0fe62401c6cbc8d3cca25c83cb117f5c3ac479668d85851575074557f6c7d904ab0843d0006db9621eb975b55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1392-22-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1392-2-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1392-0-0x0000000074632000-0x0000000074633000-memory.dmp

Filesize
4KB

Download
memory/1392-1-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1572-18-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1572-9-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-23-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-24-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-25-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-26-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-27-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads