metamorpherrat | 08bc5e5057aa256fbbafc292a5c1220b1b33cef8c593e75bbed896b3d72d5871

General

Target

ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
Size

78KB
MD5

ff50a47e57f3aba9af3d23c7fe1ee9c0
SHA1

b1d7b995b1119d7058ac73364ce03553a149010a
SHA256

08bc5e5057aa256fbbafc292a5c1220b1b33cef8c593e75bbed896b3d72d5871
SHA512

487fa2770184c78dd7239c0e2c589e9b9f36677e2e2fbc0a9be65538eb8d8bb439f72be14bf44c4d94c76a4652ec39ade3409f33c906cd39ad12ecbf44ec7e56
SSDEEP

1536:MBWV5jcAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6J9/H1SO:2WV5jcAtWDDILJLovbicqOq3o+nx9/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe

Executes dropped EXE 1 IoCs

pid	Process
688	tmp8174.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8174.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8174.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
Token: SeDebugPrivilege	688	tmp8174.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4944	4848	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	84
PID 4848 wrote to memory of 4944	4848	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	84
PID 4848 wrote to memory of 4944	4848	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	84
PID 4944 wrote to memory of 3556	4944	vbc.exe	88
PID 4944 wrote to memory of 3556	4944	vbc.exe	88
PID 4944 wrote to memory of 3556	4944	vbc.exe	88
PID 4848 wrote to memory of 688	4848	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	89
PID 4848 wrote to memory of 688	4848	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	89
PID 4848 wrote to memory of 688	4848	ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe	89

C:\Users\Admin\AppData\Local\Temp\ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vl9roi7a.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCAA5D3F46D4881982643B6CD42D0BD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3556
- C:\Users\Admin\AppData\Local\Temp\tmp8174.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8174.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ff50a47e57f3aba9af3d23c7fe1ee9c0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES82DC.tmp

Filesize
1KB

MD5
cb9ff1dd3737faf860ddd7ab4ee82cd8

SHA1
385b1dadcb55975cbfcf62e89060c1f6142c7870

SHA256
2e11c95fb854457a888e7a754bff7dbb1d9aa8802c8d018427c78c27f43e0ff3

SHA512
520fb173d525f08e4fe54386c90a65981081d45e5a9946d0f13f8a7847ddbbd2c2609eef90a4f8d09260af130e73e08f50f36928c1bf19d6fbe6c5ad4f7e93bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8174.tmp.exe

Filesize
78KB

MD5
6d592aa35d093a5250a44fc3e9a3210c

SHA1
abf785147fe37c97a345e2037e3c2bfb8d5d2cbe

SHA256
a099b3de6dda94dbf2d52e7d165df04bf09b77fc5b35b42d654d0780bfe47439

SHA512
327822e10a2424156fe06595d24132e195c47802c1859b8faf3a674b461e641c3da5cab06d5b289d42a29cbdd32044334f57edbb0699c936c1eb43c36f0b5ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDCAA5D3F46D4881982643B6CD42D0BD.TMP

Filesize
660B

MD5
6af617a76c0c2fdd137247f60a2003f3

SHA1
58ee1170e395fe884780a85a19cd185c91a58b34

SHA256
e0a030a302d9e780ab3dad112a14c89703422df44fd557cfb8ecacd683eb14e2

SHA512
2809ea7a0afe47757569a9d28ba0669a55a34ac86d0e2f73ad88a5303383cebe458879b045a277ef8c5ec21c90449c1f31369df6e447db36cad9961aad566277

Download Submit
C:\Users\Admin\AppData\Local\Temp\vl9roi7a.0.vb

Filesize
14KB

MD5
976766e2c25bc268d0299f32095b39e8

SHA1
d9172ce84065851a7c68ee698477d64bb4aab34e

SHA256
a23ed1ef9ca9cc7af6673053475ac5846f1061e772583df00baacf63d1777255

SHA512
a0d3b853821067b3e3181738a6d19837f9615204ee2b3582588a978a9f40252223bb269028528ff562685ceb3380f261b7d3117c8b69d69e770a66dd563d6a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\vl9roi7a.cmdline

Filesize
266B

MD5
8bd6d2973697230541917b3449871ce3

SHA1
cfb9f5bd98e28d997cacc92f8523a536013c348b

SHA256
726654aa32098034623f313a7d46597308386d592dae5f1cd0dc19c72cd1cbb1

SHA512
9c5d43da0910b11b4d09ef0d9f693636430dd8149bcd985e7174b8ba9b3f8555052ed3477d09ebe2f04e0411dffa4cdd6546605ccd9333ffec24729a07b3a2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/688-23-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/688-24-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/688-25-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/688-26-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/688-27-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4848-2-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4848-1-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4848-22-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4848-0-0x00000000752A2000-0x00000000752A3000-memory.dmp

Filesize
4KB

Download
memory/4944-9-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4944-18-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads