metamorpherrat | 1df9d721833821690d184d026328d08b558cc86cdc76a22bf928c423b1432326

General

Target

688b294b9ef8d5a3f168549eba57d450N.exe
Size

78KB
MD5

688b294b9ef8d5a3f168549eba57d450
SHA1

fc50681de435c3ec2956c53d1b0eb529d42ced36
SHA256

1df9d721833821690d184d026328d08b558cc86cdc76a22bf928c423b1432326
SHA512

ffc1523c568df784b83d583ebc93b92efda1c2e104592113134ecadd2fb1415b4e414e0885a2a52ce954652d14e02524b3c4afdccce9df29f85d876e8994a2cb
SSDEEP

1536:wTy5jpAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6dp9/A1V0:4y5jpAtWDDILJLovbicqOq3o+nP9/v

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	688b294b9ef8d5a3f168549eba57d450N.exe

Executes dropped EXE 1 IoCs

pid	Process
1216	tmp5DBB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp5DBB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	688b294b9ef8d5a3f168549eba57d450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5DBB.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	688b294b9ef8d5a3f168549eba57d450N.exe
Token: SeDebugPrivilege	1216	tmp5DBB.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3096	4848	688b294b9ef8d5a3f168549eba57d450N.exe	93
PID 4848 wrote to memory of 3096	4848	688b294b9ef8d5a3f168549eba57d450N.exe	93
PID 4848 wrote to memory of 3096	4848	688b294b9ef8d5a3f168549eba57d450N.exe	93
PID 3096 wrote to memory of 2380	3096	vbc.exe	95
PID 3096 wrote to memory of 2380	3096	vbc.exe	95
PID 3096 wrote to memory of 2380	3096	vbc.exe	95
PID 4848 wrote to memory of 1216	4848	688b294b9ef8d5a3f168549eba57d450N.exe	96
PID 4848 wrote to memory of 1216	4848	688b294b9ef8d5a3f168549eba57d450N.exe	96
PID 4848 wrote to memory of 1216	4848	688b294b9ef8d5a3f168549eba57d450N.exe	96

C:\Users\Admin\AppData\Local\Temp\688b294b9ef8d5a3f168549eba57d450N.exe
"C:\Users\Admin\AppData\Local\Temp\688b294b9ef8d5a3f168549eba57d450N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\icc5mtj2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74ABEE55185B408C82416ADE5E604133.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- C:\Users\Admin\AppData\Local\Temp\tmp5DBB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5DBB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\688b294b9ef8d5a3f168549eba57d450N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3884,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5E96.tmp

Filesize
1KB

MD5
25136593ae360dc98b5cd5cdba498858

SHA1
8f5e3ac0f6355d67d96da293b1a9c0c9df0fed89

SHA256
6858d2553763d1d38085f5d6e3877059b2deaa254ce2129addb8e8c2a6e7d917

SHA512
bb4d3fa2e321ba2849a85fa72d20fc77527c6cbf8794e5e5253b96135aecfac07296ebd6480799b3ca18cd86edd19b5e8a85cf81c223fcc9bd84abe9e58d3d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\icc5mtj2.0.vb

Filesize
14KB

MD5
5d9edb5eaacbeb3644c9b8831dac6caa

SHA1
df84aa32005af74b7b7ffec4c977d9d849c0dc17

SHA256
bbb7c1fc9b2475a9e9026b09927d758d76b8953903f7160b90d916b9cc28812b

SHA512
1dcf872a4f771bc930f9dbe8bced39fa783d27a37e0bf2948c861d7dc7e419edb87f435e5362900261eddd4bac656621d63268029676b3faf4570d2521456967

Download Submit
C:\Users\Admin\AppData\Local\Temp\icc5mtj2.cmdline

Filesize
266B

MD5
b6ac3b7cfd14fe69914c14f94cad9e03

SHA1
0f3f5c47bdd7cf32eeef3915b2c4d1a195f26a0a

SHA256
9864fd272307f4719025a2d69b5686482659d951ea7d52b19c3ddb5a20953d80

SHA512
fff18b36b48ae5fe806be14248059b0b264e61549829b4b6bfef45180cf015fb181d35dcffd0086b3dbd2bc3a6250f463d3c0d73fdae7744fcf741ed5286e8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DBB.tmp.exe

Filesize
78KB

MD5
ed2a6dbde8a20a0fbde8f0755e8e99b6

SHA1
e2a9e7dc8ae44e398e4722f35d8006f0f013febe

SHA256
ae45cc3c1052e221484dea60ce0eedf2c29e7545b54c2f48cb21391320eefc0e

SHA512
d6201f4a435e306bda163c085d145894c4947a24c6e9ab48a4083bb95e3d2460f820357c81dfb3fdb3e18fc24a2fc9b724b0adbc2eb2cb99650af3db478e77d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc74ABEE55185B408C82416ADE5E604133.TMP

Filesize
660B

MD5
01ca622179d3dab970595177a9b3633c

SHA1
f07bc30b70abfc24230a58db6fcd04f261c91a40

SHA256
26b61eddd347449eda40c3941abe823faf4b41dd4b36e6ee1f475f808e0b5c82

SHA512
914f53cdd6948ddd5abdd7d9425e0e1ad2f4e238747f157f58f4c34eb3b5decd87a4a8dc7027b29246a2fe4229a399756e94c87b220d746653fc1cc10aed443a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1216-24-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/1216-22-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/1216-25-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/1216-26-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/1216-27-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/1216-28-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/3096-8-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/3096-18-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4848-2-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4848-1-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4848-0-0x0000000075362000-0x0000000075363000-memory.dmp

Filesize
4KB

Download
memory/4848-23-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads