metamorpherrat | 08bc5e5057aa256fbbafc292a5c1220b1b33cef8c593e75bbed896b3d72d5871

General

Target

ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
Size

78KB
MD5

ff50a47e57f3aba9af3d23c7fe1ee9c0
SHA1

b1d7b995b1119d7058ac73364ce03553a149010a
SHA256

08bc5e5057aa256fbbafc292a5c1220b1b33cef8c593e75bbed896b3d72d5871
SHA512

487fa2770184c78dd7239c0e2c589e9b9f36677e2e2fbc0a9be65538eb8d8bb439f72be14bf44c4d94c76a4652ec39ade3409f33c906cd39ad12ecbf44ec7e56
SSDEEP

1536:MBWV5jcAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6J9/H1SO:2WV5jcAtWDDILJLovbicqOq3o+nx9/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2812	tmp40E7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp40E7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp40E7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
Token: SeDebugPrivilege	2812	tmp40E7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2752	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	30
PID 2640 wrote to memory of 2752	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	30
PID 2640 wrote to memory of 2752	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	30
PID 2640 wrote to memory of 2752	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	30
PID 2752 wrote to memory of 2652	2752	vbc.exe	32
PID 2752 wrote to memory of 2652	2752	vbc.exe	32
PID 2752 wrote to memory of 2652	2752	vbc.exe	32
PID 2752 wrote to memory of 2652	2752	vbc.exe	32
PID 2640 wrote to memory of 2812	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	33
PID 2640 wrote to memory of 2812	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	33
PID 2640 wrote to memory of 2812	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	33
PID 2640 wrote to memory of 2812	2640	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	33

C:\Users\Admin\AppData\Local\Temp\ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_ayrzcwr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES427D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc426D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\tmp40E7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp40E7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES427D.tmp

Filesize
1KB

MD5
7382003a80600fb09b8d386f36dd3766

SHA1
22862b94766ba24ae8584ea6dec45f3599d2c16a

SHA256
2505fb46e71b1105c16fda49c524ea6c73ff97dac1ce23b465f4360f03719676

SHA512
ef844a64ef2c0cd0156c92f054caee676d15beca4581383cfc8888e6776f884717e806bf14eb3502d17686f6e27e0fa4af5414b818a5a0183b84e2045410dc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ayrzcwr.0.vb

Filesize
14KB

MD5
765e07de1e4862c79c6ff5296ea571f9

SHA1
1d6db2696423116544e1181b04f7eaa3b7a8152f

SHA256
1f4c9886b69bd05fd44548432229552410aab84b30e96de48cd5b85a34606b12

SHA512
ef0edadafa66fdacaf584fb52a31d2b732ec237888d6a98983b25790870ad7403b0175adcd07a1e222fd11c875c00f672edd321851125f8a102a728dea544efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ayrzcwr.cmdline

Filesize
266B

MD5
1eb42340223d48d47db157df2b32cc12

SHA1
01810f1adf933d692e4ce5c564b277f2dc778572

SHA256
888f2e69230a3ddce237515b8d0ea6e5f8edc34420046cf783a99777019efdf7

SHA512
6919afe5a160edad226b1e5cd446d39ddc0fc7c5a97dbb04d3cc0b8d63ed0e04b1ed836b3bc7426923b1fdbc8b189b1cfbd1c707c5640050f36371e84cb96d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40E7.tmp.exe

Filesize
78KB

MD5
7b75d420f547d723faff5222296eaba9

SHA1
8e0f05faf8858200fe587b37733acf2038f97b71

SHA256
cbb21fcef28d4f9b5b00708511185a912143a2e934f10760b3a6ebd0b8afba4d

SHA512
8ac05c59f03a4ca9cd29634e3a4cfe0453a0b5767c9a38d9f118deeeac8c93a0bd6890fd7e20fdd1600d151e47b3662338d26c6be12e70a4a520d90aa111bb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc426D.tmp

Filesize
660B

MD5
3ab9c493621771b1b600549cd93687a2

SHA1
5cce5524f59a707ea63ba9878fbc6c0403d62dcd

SHA256
d5a0f6c8fab2d991826c327900938b69be405822e99abf2d04c9df0e8573f733

SHA512
74c7ffc9f937f5e3e5d34717bd4efc5bb569661fe32ba0fc9e3c395492cb7452eeb8be498ad08e3086d2898b8f5f922fbd7e1dd106fad3584ed19910ce399bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2640-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-3-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads