metamorpherrat | b4e0db7411b309de3782066420b53404d8c982d7a1b7b25393854c314f033fb7

General

Target

30fcafa5b1901662c7380cdd43f66940N.exe
Size

78KB
MD5

30fcafa5b1901662c7380cdd43f66940
SHA1

d1747e772d9e4bee597650bcb851de40a46bf4f2
SHA256

b4e0db7411b309de3782066420b53404d8c982d7a1b7b25393854c314f033fb7
SHA512

ef49e07987838e41db6fb5355df19f03a09dffb02c2c30cf5f1350dcd44c458218f970837a8143c22652cecd0d54e820c9c14c48f40bf6ccfc26755944aba99b
SSDEEP

1536:yVc55AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6J9/jP1QJ:oc55AtWDDILJLovbicqOq3o+ni9/jO

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2732	tmpA69B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	30fcafa5b1901662c7380cdd43f66940N.exe
1972	30fcafa5b1901662c7380cdd43f66940N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpA69B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA69B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30fcafa5b1901662c7380cdd43f66940N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	30fcafa5b1901662c7380cdd43f66940N.exe
Token: SeDebugPrivilege	2732	tmpA69B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2688	1972	30fcafa5b1901662c7380cdd43f66940N.exe	30
PID 1972 wrote to memory of 2688	1972	30fcafa5b1901662c7380cdd43f66940N.exe	30
PID 1972 wrote to memory of 2688	1972	30fcafa5b1901662c7380cdd43f66940N.exe	30
PID 1972 wrote to memory of 2688	1972	30fcafa5b1901662c7380cdd43f66940N.exe	30
PID 2688 wrote to memory of 2436	2688	vbc.exe	32
PID 2688 wrote to memory of 2436	2688	vbc.exe	32
PID 2688 wrote to memory of 2436	2688	vbc.exe	32
PID 2688 wrote to memory of 2436	2688	vbc.exe	32
PID 1972 wrote to memory of 2732	1972	30fcafa5b1901662c7380cdd43f66940N.exe	33
PID 1972 wrote to memory of 2732	1972	30fcafa5b1901662c7380cdd43f66940N.exe	33
PID 1972 wrote to memory of 2732	1972	30fcafa5b1901662c7380cdd43f66940N.exe	33
PID 1972 wrote to memory of 2732	1972	30fcafa5b1901662c7380cdd43f66940N.exe	33

C:\Users\Admin\AppData\Local\Temp\30fcafa5b1901662c7380cdd43f66940N.exe
"C:\Users\Admin\AppData\Local\Temp\30fcafa5b1901662c7380cdd43f66940N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjxsojvb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7E3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- C:\Users\Admin\AppData\Local\Temp\tmpA69B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA69B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30fcafa5b1901662c7380cdd43f66940N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA7E4.tmp

Filesize
1KB

MD5
1311607089eb2321fd24e4ad3191711a

SHA1
fe5bd8f9429690a6fa5b23ec098896661c3e8181

SHA256
20357c3348870468c57ccc904ce0dbbb60ac19830f57242ba4393ff3ca901c25

SHA512
ff4a6a0163a1990897e7a49936597ce48f46be9da7591bce7988ca0fe34cb97370fd34abe16343a4419d2ea0034ba1522a2b7fd264bc3cb98d004e30d8701d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjxsojvb.0.vb

Filesize
14KB

MD5
8557cbf8eec3f3643c8cca6fc27f007f

SHA1
671be6964f81f823e900b844eaf954d1288532f4

SHA256
f5b76a08a0fbe0908849f7fb867e8e99fc737a54c2f65536f95dd72db0707763

SHA512
3d6b519b66bba414cb53054160026d3c36a2d650b16b9f87ad28c51fe13041e40311d76639a1dce9eee3b49e3138a313d70f5905c29fe82cb640a4ce1f2508f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjxsojvb.cmdline

Filesize
266B

MD5
123c1ee367ab8258d61edffee5d04e63

SHA1
e06c0282c6b2ba2922864237a343ca8d5c7bf09a

SHA256
bdb224bd4044bafc5642ce25a75b733adfaeb65a5075a3d463610dd93b4ee10a

SHA512
f684ac37c169701ed14cbf511421cba2693a8dd19b8ef0c67fd5b6dad1c0b0bd5f0ad2fa9184cca3cb362fc9c433f7c65b17ab11f4186d7aef0838a03263b60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA69B.tmp.exe

Filesize
78KB

MD5
c481035c8fdd66f363978ef12315ed16

SHA1
5043b7216fc370e30d39114629241def04e4f012

SHA256
6fcf8c6456429ac5ff2126118c9720f60cc23abcaa34c32a2ab27ddd80eb6646

SHA512
c44ef7923b4a67ee08a0c920693c1aa18e25dcd4b6180755c7def4f3aa46c149901f9e089bbcb57714ded80208c6b89aa7f37d04897a0705d691883098bd7c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA7E3.tmp

Filesize
660B

MD5
2a8084bf88bdfb3abccb25a42daaa6e4

SHA1
4386fbeaa827f8f86d55b77e77506b23347838cf

SHA256
f8c730e274403eae4fc0a607c3096de2f9393f2f4573e52b51f8c3dc29bff411

SHA512
9efb7ea0c42a3481524a1d557337ba0ad7e9abf1eebca3d0c51766a7839bfabc86fcfc84cd1759f08079134e839020bb78008ff8cd23e896dcea76a75e9fb108

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1972-0-0x0000000074E21000-0x0000000074E22000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-5-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-24-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-8-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-18-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads