metamorpherrat | 66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24c

General

Target

66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
Size

78KB
MD5

a4b9ce87ed124ebcad9a0e6ee2365140
SHA1

be7f0ec0826529076860c56581e98779d8c8cd80
SHA256

66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24c
SHA512

d95edae19e140d8bb49280c1472e4e536f133f6808acc388761cf4f53e3a4dbf8d8b0214a5fde4cea5188e1826ff2807546d9d90257cbeb908871662d9fa55e4
SSDEEP

1536:RmWtHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLu9/o:MWtHFoI3ZAtWDDILJLovbicqOq3o+nLt

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe

Executes dropped EXE 1 IoCs

pid	Process
4764	tmp65FD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp65FD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp65FD.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
Token: SeDebugPrivilege	4764	tmp65FD.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1608	4260	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	82
PID 4260 wrote to memory of 1608	4260	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	82
PID 4260 wrote to memory of 1608	4260	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	82
PID 1608 wrote to memory of 3588	1608	vbc.exe	84
PID 1608 wrote to memory of 3588	1608	vbc.exe	84
PID 1608 wrote to memory of 3588	1608	vbc.exe	84
PID 4260 wrote to memory of 4764	4260	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	85
PID 4260 wrote to memory of 4764	4260	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	85
PID 4260 wrote to memory of 4764	4260	66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe	85

C:\Users\Admin\AppData\Local\Temp\66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
"C:\Users\Admin\AppData\Local\Temp\66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dvkltdr_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF1BF16FD2B04C4CB293A176617D3774.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- C:\Users\Admin\AppData\Local\Temp\tmp65FD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp65FD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\66827c6a5874ef547a8bf87fee7bfadf7426cf19ae14505692b0172b0937f24cN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES66F7.tmp

Filesize
1KB

MD5
e2129c72a717d99734144032df277fec

SHA1
33f253af5be504af2aab44464e13218154cbfb48

SHA256
8c926e0abb8e66c112cb6b68d0fe3d8d1cb1709f99def4309420286d47728bfd

SHA512
1ebe059dceb898b285dc0fe6e849e5ebf1d4523427f7c8366faa8a740f1fa5a17d1020d0c06dd667441c682c773b5cb4b35aa922f2a11730f276e859ab6f21fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvkltdr_.0.vb

Filesize
15KB

MD5
a37a245755370b2dd3453aa62ccddd2a

SHA1
3ecab402981e2e77554ad9bf14542e800b0e027d

SHA256
8034f101c3c4985504d6066ad678bab795abcba4ea585f3fc6490555ddaa5e4d

SHA512
e5eff3fa66edc2a632a41beae69afadfb8e86e260199395c8c30ae7df7a89d7b79dca3c1cc4b8eb6ac87fa1e7cdd6ae3e3a473666445d96e4c03a7e2bd2c83ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvkltdr_.cmdline

Filesize
266B

MD5
24bb36ecc155233f7403fc30f570acc0

SHA1
134f28ffe70b19c257f464a8a6ef9e364d73f966

SHA256
3671578413a8be25b860a6e069a3aa12acb8592b75d02bbee2295905c59023b9

SHA512
2ec11231b118caef21ea81e0fb4e55e105d5bd2e810326bec107fa0dc055ad3683b75385ed1fc6b2e36642d38bedf1748e4cdebd03d0c0da9a789d98c11e0c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65FD.tmp.exe

Filesize
78KB

MD5
ac8228570e2789d65a303fe2c0c6115b

SHA1
88bb5c5ddd7b21391c1f6449339902e947436926

SHA256
e83fb66551d37bbab7bba7b776713e005734b97610ca95997ff1b09bc909351d

SHA512
9ca5dbf97722f0100c10867c5849e7878181c5b2316336cd4fb20f26fae9b4309ea4e2d2c7bc0d4ef4eaee703a4803d67f7921baaae2e69960e7971ceebc621d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF1BF16FD2B04C4CB293A176617D3774.TMP

Filesize
660B

MD5
6d59623ef14b14f4525d2c0ee3c04529

SHA1
c45145a2c1ef4f1bac49c155583c42d4de76ee54

SHA256
94f18de7c2329bfe870e9ce1f69f18784ddef76d7429a3e3050ce4d18b1ce545

SHA512
86d9c0cf211e037c5712a9cff3c3e3d154746c8fd0d0cbc2aa296312552613dc0524c618b9b4a0e6c06ea33a4a43eeaee643ee0c0a6bdc657f96c0c2dcf39a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1608-8-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1608-18-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4260-0-0x0000000074D22000-0x0000000074D23000-memory.dmp

Filesize
4KB

Download
memory/4260-2-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4260-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4260-23-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-22-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-24-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-25-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-26-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4764-27-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads