metamorpherrat | 5dcff7664cf550fde032b4e311f08ca5d39ade3c1b87453176eeedc595375cbf

General

Target

bc10385b1dd0486ef71c62d5df53d810N.exe
Size

78KB
MD5

bc10385b1dd0486ef71c62d5df53d810
SHA1

862b9314fa4e2285272dcfc7bc24cf18d8b18f8a
SHA256

5dcff7664cf550fde032b4e311f08ca5d39ade3c1b87453176eeedc595375cbf
SHA512

8070178de37490791c3a856df81820588eb6a90beba4162f90faceef6273e01086aeb6dec534a54a81019ecdfee0f9e499f6b0dcceadb20e7f30497679aa5315
SSDEEP

1536:fcRWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtL09/Nb:kRWtH/3ZAtWDDILJLovbicqOq3o+nL0v

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2736	tmpEDC8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	bc10385b1dd0486ef71c62d5df53d810N.exe
2232	bc10385b1dd0486ef71c62d5df53d810N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpEDC8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc10385b1dd0486ef71c62d5df53d810N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEDC8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	bc10385b1dd0486ef71c62d5df53d810N.exe
Token: SeDebugPrivilege	2736	tmpEDC8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2676	2232	bc10385b1dd0486ef71c62d5df53d810N.exe	31
PID 2232 wrote to memory of 2676	2232	bc10385b1dd0486ef71c62d5df53d810N.exe	31
PID 2232 wrote to memory of 2676	2232	bc10385b1dd0486ef71c62d5df53d810N.exe	31
PID 2232 wrote to memory of 2676	2232	bc10385b1dd0486ef71c62d5df53d810N.exe	31
PID 2676 wrote to memory of 2700	2676	vbc.exe	33
PID 2676 wrote to memory of 2700	2676	vbc.exe	33
PID 2676 wrote to memory of 2700	2676	vbc.exe	33
PID 2676 wrote to memory of 2700	2676	vbc.exe	33
PID 2232 wrote to memory of 2736	2232	bc10385b1dd0486ef71c62d5df53d810N.exe	34
PID 2232 wrote to memory of 2736	2232	bc10385b1dd0486ef71c62d5df53d810N.exe	34
PID 2232 wrote to memory of 2736	2232	bc10385b1dd0486ef71c62d5df53d810N.exe	34
PID 2232 wrote to memory of 2736	2232	bc10385b1dd0486ef71c62d5df53d810N.exe	34

C:\Users\Admin\AppData\Local\Temp\bc10385b1dd0486ef71c62d5df53d810N.exe
"C:\Users\Admin\AppData\Local\Temp\bc10385b1dd0486ef71c62d5df53d810N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zugrd8wz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEB2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- C:\Users\Admin\AppData\Local\Temp\tmpEDC8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEDC8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bc10385b1dd0486ef71c62d5df53d810N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEEB3.tmp

Filesize
1KB

MD5
56d3d6c4368d08dfd24188a61b7b5689

SHA1
a1508ef13cd0da25fbefba9ff37d6bbbcd677c86

SHA256
5eaeafc170474b59de9a16557b001e2326283939a2f97950d8ea3c7d4b37958e

SHA512
0f43a05a1ae531d6ed1f95dcc551f3d6294553a403a2ef282347a0cdbdd4b72c14596ddada2bab896293e9962740f9a03807291ae3181e75030a08c8afa7ece6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDC8.tmp.exe

Filesize
78KB

MD5
b337767f85b5749468d9b628dd676302

SHA1
f2663d7e7a4b4df35a0b04ea7a335106755732b2

SHA256
dad3f8139088273260068b8176d41da89f851962e49a9013e3c68fc8799c433c

SHA512
07f365c9b30dbf5939fe27fb091f09408b5abc04dff152cc60e76e38d6c814a56892ad9b2de58b19b5ec20b0b4ec7d09b331a088611cb7164721c7a5ac782ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEEB2.tmp

Filesize
660B

MD5
ffdffdf9a2ec52e0bcdf2c89d88f563a

SHA1
10baf8207b4e2af55d1890076bf774da2302a1f3

SHA256
13119391dd0878ea37c79d7d84fd3d22fa3ec88e386f8dfc6499f502185e5179

SHA512
8c43de890bf96ccbe6b0d39f4327107c7abaf856dc53b56ece9f39909cf842c2735dca89bb1758f970a8e58bc98cb0c1c13c7749ac30a3db3d5adb3d6470a62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zugrd8wz.0.vb

Filesize
15KB

MD5
03540f76d9b77c66b34991c72e959bc3

SHA1
961cde73f840d79a12e6ff4d763c72260b267632

SHA256
90d12dd7f8a22c9e4d1ddc985c314c68ed9e03d2d9af401094f60ed05d162040

SHA512
36badbdd240b0742037b9e49058b8eeca61f40cf2f948a8b3edd774e8ab77b4f7478e8951b96c8ef0d7e68f77945db9ff70dd5c043aad4a6c3bad49083ea3ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\zugrd8wz.cmdline

Filesize
266B

MD5
f3b870d707486accc321519457440202

SHA1
298fea02c8bf2f0ed0d6454d49b64b9291ba2b08

SHA256
5b87f2d7e841da7d9b8c4997a3bf9b8c18520037a5003f620725879dbd4062d5

SHA512
12170c0ea07f2268d58cfd4482443c13682e1c554a89f2991b53b712f4e0662da8244e5df49b51b3554e7a701a10b4c336636b60421e920c95802ee6c152803b

Download Submit
memory/2232-0-0x0000000074E91000-0x0000000074E92000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-2-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-24-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-8-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-18-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads