metamorpherrat | 5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744

General

Target

5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe
Size

78KB
MD5

d6496560cf5ab40ad0e389d61b8cf750
SHA1

8280cd7ee3eca3aa544bb84edfb65060a90c08d6
SHA256

5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744
SHA512

b5def521109e55436bd0cbcba2e171178e5c1f2c32522d02441d0093e36a820f3bcd7607e86b4ffb50f8737335d0a13af9e88ef20b06dbb1702440b909f49d3b
SSDEEP

1536:4cPCHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt29/Q1ll:zPCH/3ZAtWDDILJLovbicqOq3o+n29/i

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe

Executes dropped EXE 1 IoCs

pid	Process
4184	tmp85E9.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp85E9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp85E9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe
Token: SeDebugPrivilege	4184	tmp85E9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1136	1444	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe	82
PID 1444 wrote to memory of 1136	1444	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe	82
PID 1444 wrote to memory of 1136	1444	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe	82
PID 1136 wrote to memory of 728	1136	vbc.exe	84
PID 1136 wrote to memory of 728	1136	vbc.exe	84
PID 1136 wrote to memory of 728	1136	vbc.exe	84
PID 1444 wrote to memory of 4184	1444	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe	85
PID 1444 wrote to memory of 4184	1444	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe	85
PID 1444 wrote to memory of 4184	1444	5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe	85

C:\Users\Admin\AppData\Local\Temp\5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe
"C:\Users\Admin\AppData\Local\Temp\5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\btohad3g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0F7E9F6D3844589BBA1A26175E93C3F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:728
- C:\Users\Admin\AppData\Local\Temp\tmp85E9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp85E9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5919af8f29947171ef7fcbfbeb37708506cb6871f11d8029e3832c042d0d5744N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES86F3.tmp

Filesize
1KB

MD5
e75dc8bccd3ccb8fd54c3b836ad0d8cb

SHA1
d595b9282992d254b6ea653dbef2da7ee62e747f

SHA256
89e8048a53661aa7debcf9147d60751fb90c971227d733ea74e3dc9e1f1f7064

SHA512
6895196f31a3a5c2fc77f0aaa5288b8fc31fb051331ca2aa6a6b5ed309631622cddfd492b79d5b7aa2bf7943989eefd98a12616aaa492f5eff6aa4a76939a25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\btohad3g.0.vb

Filesize
15KB

MD5
4322f5156bfee9b5fd6329c63252de47

SHA1
df71d204bc7073f85d07559e20564aea3201df81

SHA256
74f8f7f5c953a1cbd765ec5fc68f28bfaf6720cb2fbdd671d848602210ea3f7b

SHA512
3d3beea00fdb79c5aa7f986bc7d4922d4f497f17abc29cb31159c7f97401898eae08102cbe75854b4cf65d1deaf61170efef0f2600e0e3c06107ecbc6e132843

Download Submit
C:\Users\Admin\AppData\Local\Temp\btohad3g.cmdline

Filesize
266B

MD5
8e30d4fbfe58310b221d422fd0516f30

SHA1
f85eef46b1a1eaa434f6c57aefff4bda2126c4d9

SHA256
fb8a7514b94b79b87bb5b2ff20b3f015d38a10cf37edeaa1246f4ac1b7e74783

SHA512
d13499375b9ab622a71acf1f23bdb31c10f0f9ec51cd9c862938a0071b3faa5833464d6096b9fa0f271471cdbd7329c6afe0f948a1668eb11521a66a7e87d30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85E9.tmp.exe

Filesize
78KB

MD5
9924fa28661a2b1a14a232a272d0d082

SHA1
1a7eada9337293e940611eefd8945c7b4457381a

SHA256
7ca696fe2328b83f878f5a2a389de179526862eec72ef34efdb5c946560dd02b

SHA512
0fc923ee400c217dcc886b06951bbf7cfb2a80fcc2cad6a7e2e60c35746476a755196254dc0a8958c0bf9ee130f8f804a7d44cbc3de8b75ae15883304468670d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC0F7E9F6D3844589BBA1A26175E93C3F.TMP

Filesize
660B

MD5
35b06d408b849d1529dcca0caeac345b

SHA1
e3336eee998ef2c45bcc4e26d95841e7137ea152

SHA256
577ba251514361cb7c4f807691009cc15db1c123e6625f6c8024aeaf5fbf1f88

SHA512
7fb7add4a667ae0b9066856ec1300b2c3b96f990671f47929e9e189f62f87099bd9522283dc1ce5d520082e46d02f9217310e8bdc3c430d774b104d7854a1555

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1136-8-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1136-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1444-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/1444-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1444-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1444-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4184-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4184-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4184-25-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4184-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4184-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads