metamorpherrat | 0092345c9172b7d0d862ff4489896e409f93e50839841147908fa4da949cd0d6

General

Target

b3730424ad591633e0c57b72b99609f0N.exe
Size

78KB
MD5

b3730424ad591633e0c57b72b99609f0
SHA1

449e56dcbeabfe045c5bdb820ac8c3ce50a25a75
SHA256

0092345c9172b7d0d862ff4489896e409f93e50839841147908fa4da949cd0d6
SHA512

4549086907d60718c19074a31d1bba2231e342c729fff8b8bb041bf439db5d39f42a31aa6a2e80fa3f5f9f3018eb6bbb26136d319cdb5b71883686c2ee2a5ecf
SSDEEP

1536:zVPy5jSIAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd609/S1sN:BPy5jSIAtWDDILJLovbicqOq3o+nT9/j

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2620	tmpA0C2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	b3730424ad591633e0c57b72b99609f0N.exe
1048	b3730424ad591633e0c57b72b99609f0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpA0C2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA0C2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3730424ad591633e0c57b72b99609f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	b3730424ad591633e0c57b72b99609f0N.exe
Token: SeDebugPrivilege	2620	tmpA0C2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 996	1048	b3730424ad591633e0c57b72b99609f0N.exe	29
PID 1048 wrote to memory of 996	1048	b3730424ad591633e0c57b72b99609f0N.exe	29
PID 1048 wrote to memory of 996	1048	b3730424ad591633e0c57b72b99609f0N.exe	29
PID 1048 wrote to memory of 996	1048	b3730424ad591633e0c57b72b99609f0N.exe	29
PID 996 wrote to memory of 1728	996	vbc.exe	31
PID 996 wrote to memory of 1728	996	vbc.exe	31
PID 996 wrote to memory of 1728	996	vbc.exe	31
PID 996 wrote to memory of 1728	996	vbc.exe	31
PID 1048 wrote to memory of 2620	1048	b3730424ad591633e0c57b72b99609f0N.exe	32
PID 1048 wrote to memory of 2620	1048	b3730424ad591633e0c57b72b99609f0N.exe	32
PID 1048 wrote to memory of 2620	1048	b3730424ad591633e0c57b72b99609f0N.exe	32
PID 1048 wrote to memory of 2620	1048	b3730424ad591633e0c57b72b99609f0N.exe	32

C:\Users\Admin\AppData\Local\Temp\b3730424ad591633e0c57b72b99609f0N.exe
"C:\Users\Admin\AppData\Local\Temp\b3730424ad591633e0c57b72b99609f0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b7dyilkd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA17E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA17D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- C:\Users\Admin\AppData\Local\Temp\tmpA0C2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA0C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b3730424ad591633e0c57b72b99609f0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA17E.tmp

Filesize
1KB

MD5
2facd12493989791cb7c1d8ee963093e

SHA1
58060ea0483e6559a349ed45c42069cae5633112

SHA256
4ffa8485cff99189a216ff2fd3ccc56cab2f80085971a13f6c59890213169dbf

SHA512
12585c1df8f1975ae39f79932cfbf60fb7d5520292ffaba8f2cf9786913e6d5de167205bd3c6aefade5e2e9a794d378af75dc2814798026426b20060f36baee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7dyilkd.0.vb

Filesize
14KB

MD5
0c0694045f10a000c26533c267ac4e01

SHA1
6ec1b82ee39e974113b5b742dbdd44c05e1f8b71

SHA256
4db03309b399c98cc9cab4a94c73fad84e9662ee0f2a688e508b35ece9b74166

SHA512
66e31186ee8af5d7bc4319785369d21c3dc28edaaaf1c28b68ca3a41ed3d141471db10830bcd881102b1e4a35e2facaa09d20207ec1e831bc7d83ecc5d7a5343

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7dyilkd.cmdline

Filesize
266B

MD5
7ab053bc40f16d472214b905610128e4

SHA1
ebafcf8e387d9b38b29d9824647bcb74a8cbe71f

SHA256
d4dc0118d9cca8c2e422ae1940105b04af5d0e0018341e619f65eb15c8fd6e22

SHA512
dac03e1be43e8a59d48071aa4817222fae6c5cc2844330486dbcf3e3ad47970e4d4444da51822376f3d0f5c660a2fd7534959412b262c270e962688181d65398

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0C2.tmp.exe

Filesize
78KB

MD5
bcfb89a8527fd225eb2dc55b37258710

SHA1
806159c0f43498ad7b356097fb4ddf64a7bf9bf8

SHA256
505987d3c457fbc5ea907eadec199f0a31b4c74e6585c7876b45fc29829176c6

SHA512
060a50b12798599f1a0c90e21d9829b8deeb4baace3d9aad7ba0ca1876177f7a494631283a23e577c1314067f1e1b994e41ce0e369c1a11c682df286f80532ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA17D.tmp

Filesize
660B

MD5
a8b6558153a52264f48092b3510ee189

SHA1
3576d7d62d2b8b88d3887099c9c3fef716f8dcbc

SHA256
0d862851d4effa7d8ee032b72445672b68063a3508c2cf54bd1f6e0ca3efa2b7

SHA512
f0a4cbab3d4fafed58861e339f56a2420708d766428aa0ed761d7cd566dde543926e81df5bb7dd14f504a1849ad08aeb5f98ca917a11acfbe4c1c8df05557406

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/996-9-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/996-18-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-0-0x0000000074A91000-0x0000000074A92000-memory.dmp

Filesize
4KB

Download
memory/1048-1-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-2-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-24-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads