metamorpherrat | 66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24c

General

Target

66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
Size

78KB
MD5

a4b9ce87ed124ebcad9a0e6ee2365140
SHA1

be7f0ec0826529076860c56581e98779d8c8cd80
SHA256

66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24c
SHA512

d95edae19e140d8bb49280c1472e4e536f133f6808acc388761cf4f53e3a4dbf8d8b0214a5fde4cea5188e1826ff2807546d9d90257cbeb908871662d9fa55e4
SSDEEP

1536:RmWtHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLu9/o:MWtHFoI3ZAtWDDILJLovbicqOq3o+nLt

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2632	tmp7687.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	tmp7687.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7687.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7687.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
Token: SeDebugPrivilege	2632	tmp7687.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2804	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	30
PID 2096 wrote to memory of 2804	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	30
PID 2096 wrote to memory of 2804	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	30
PID 2096 wrote to memory of 2804	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	30
PID 2804 wrote to memory of 2604	2804	vbc.exe	32
PID 2804 wrote to memory of 2604	2804	vbc.exe	32
PID 2804 wrote to memory of 2604	2804	vbc.exe	32
PID 2804 wrote to memory of 2604	2804	vbc.exe	32
PID 2096 wrote to memory of 2632	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	33
PID 2096 wrote to memory of 2632	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	33
PID 2096 wrote to memory of 2632	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	33
PID 2096 wrote to memory of 2632	2096	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	33

C:\Users\Admin\AppData\Local\Temp\66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
"C:\Users\Admin\AppData\Local\Temp\66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x0p8tero.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7753.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7752.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\tmp7687.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7687.tmp.exe" C:\Users\Admin\AppData\Local\Temp\66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7753.tmp

Filesize
1KB

MD5
17851fdc5ea5bc9526e7e74d2b5121b1

SHA1
36e8b508d6acee19bd10aaf7a06f32ccb0eb6ea8

SHA256
33c2ea66bd36157f4eba7d69404e17d5ee3463402376ac283865af2d80907515

SHA512
3a25f8dce002945e1a8d7b815fbb78388d613c9106eda8e1bd59d7f4c99fe9a1fcca17055ae0864fe576252823ab6c09f2cb4273177b40a48c7ddd934370e475

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7687.tmp.exe

Filesize
78KB

MD5
ce65b3b29b0992c43f98439d69bb78dd

SHA1
73a3fc9f7ef5b480e4db6e3793d918c086a3cbb9

SHA256
2f26eba450682196ed2a277f31d0dae5793219462d58ef585f42cda119e28e2c

SHA512
fb82df15a43acced5e391bcf56214e86f5fc08f663a3d66c5657cf1622c49305d026d64f32d703e2f3a24ad71bf5e14f5193df2ca5e32f7c92fb96dca7731b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7752.tmp

Filesize
660B

MD5
c8fa3777129c43046454e0e562ff3e63

SHA1
01dcbdaab14d6f7191c6afff79214823042b90a5

SHA256
26f80ed2fab760c98aaff8515119e5e14b38c89d816049f128511d3c535b2d6d

SHA512
e71cf2eb860f7e4c5d27814df25b483bb774ff5a85ea7d8e0b9ef985d8a547ffb0d5e73ce50093a60d510d7fe4bac90425d876459ebb06e169ff72a732b9cbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0p8tero.0.vb

Filesize
15KB

MD5
598e7346445e586d4e6a956995a15fcf

SHA1
e5b650a21b7f100bb652df3a7fba74d7eb2d065f

SHA256
7b8fbb5c1219df7e4507dfc342ea11aab453254c2655b60d74a95c96ba3c8ed4

SHA512
29b2eee48fd8adff34002eee5a85d1949e8cc0ddff45c28418874a3136a93d88fd3149571cc8286abfc28a2b9a8a49ffda51de53b9d5c1029697e9c8910ec459

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0p8tero.cmdline

Filesize
266B

MD5
fd9e5402f45f5ed65e67f27c79bb5c02

SHA1
2b7a80cc26a31b6bf20d36558d9e49cf2f807098

SHA256
997cdb63b664207e3eda890b982088544207f8e91a8c8ab5ad6723aa8b270d51

SHA512
538df01506e2e34f545cde3fca555daacfbaccdf35b57d9dc0ba0db39b91df2ae612d2771055457974aaf8468aba1fa3268527384200d9fecd6fd1dcf3ac8bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2096-0-0x0000000074461000-0x0000000074462000-memory.dmp

Filesize
4KB

Download
memory/2096-1-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-2-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-23-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-8-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-18-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads