metamorpherrat | 4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705

General

Target

4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe
Size

78KB
MD5

35e9c21485049c860e0803398e435b80
SHA1

a452f127019ce5defa6c68c00e595108114ed821
SHA256

4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705
SHA512

092c4aa2f647ed40b00e6e76b564f9a9b421ae9c60a1f4852fbc302ddcaf1a19820cc28ba546701258f136e4c3f12bb11d0f3d4314652e04ce5e63d113267ba0
SSDEEP

1536:V5e53AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtX6W9/6Y1uE:ze53AtWDDILJLovbicqOq3o+n79/6e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe

Deletes itself 1 IoCs

pid	Process
4876	tmpC37F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4876	tmpC37F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpC37F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC37F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe
Token: SeDebugPrivilege	4876	tmpC37F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 2144	220	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe	82
PID 220 wrote to memory of 2144	220	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe	82
PID 220 wrote to memory of 2144	220	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe	82
PID 2144 wrote to memory of 2960	2144	vbc.exe	84
PID 2144 wrote to memory of 2960	2144	vbc.exe	84
PID 2144 wrote to memory of 2960	2144	vbc.exe	84
PID 220 wrote to memory of 4876	220	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe	85
PID 220 wrote to memory of 4876	220	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe	85
PID 220 wrote to memory of 4876	220	4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe	85

C:\Users\Admin\AppData\Local\Temp\4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe
"C:\Users\Admin\AppData\Local\Temp\4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q2isx9iu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC459.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF41DE494FB84A85A16C63DE398DF57D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\tmpC37F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC37F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4296494175266b1019309a99ee700485f07c40bd722202e633f94fef3149a705N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC459.tmp

Filesize
1KB

MD5
b6e012cd96866377c2de82ef4aa040b6

SHA1
46c37b13a8eb4c014b6adb783cebcca3c45147d2

SHA256
ac65b63bfbb14d97075373401702d63c1858d4008e7311eb8abf0a229bae5853

SHA512
b5f36f75712a20042efadd8e2a63ca05954b3fca99eeddc53017f0d0933923f85be4bf4e36383ae5b8e08503d5faa08b96b485c25cf388438f8f076d9c7cf58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2isx9iu.0.vb

Filesize
14KB

MD5
43d9cdbd5a0c72abd1cebcf1cff47c10

SHA1
63c343122647c114f7ed0bdc4a12136db676c52d

SHA256
cc9b01ac3c37ef883921c3be25e21726cba9e444c9c2ce7259cebe851acf4ba0

SHA512
aeb7a3ffb6e18cedc83656e23e4307736d65bb56901af8d1d0caf24a8036084a7e1c3460f50f133a6856506d0bd7426dccc4386334ecc3232e4fca2f4d7a93f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2isx9iu.cmdline

Filesize
266B

MD5
030a5953902077d74f3bb594b56bd1d4

SHA1
f5536e752504c1b382f9a09dc9e7a52060e4949b

SHA256
bfef34ddab87aabb8b407a1242714c33d6ea9b1c910bc151e2f116b645c905ed

SHA512
20762b381feebc68b235f3f91ebd28e15a2a169e93ea896974fc49d2d9e5d222d376d5fbf4fafd5b1345d3e7ff98ba980047f48bd15e3a8dbaa4c4de156e5896

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC37F.tmp.exe

Filesize
78KB

MD5
124ef55d8688664f333ac499a2ea5d43

SHA1
6f0a70a5f7985e9ae4e6a8b00e39454a094dad5a

SHA256
21dc0e9d124c0bef299bd5749bccadadd577eceb18bee8daf0caf3f55f8dd7c8

SHA512
32f58ecf64614ece3fc771bc4200b01d7bf4041466889cf9d1eba8a6ee2819ad4670e3f8e2a2abba028813c594b0a89125ab7ecafdaff58404ba2a04f0aa2e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAF41DE494FB84A85A16C63DE398DF57D.TMP

Filesize
660B

MD5
266b45b78d6d5f54204d81eea556dc18

SHA1
c401c3832f13e136d3510b1c4e4e298eff604bbe

SHA256
ce0e7caf8bec8d51eef950c887b375cdd7438227a9f75286477931dfcc9daa33

SHA512
cc18999d2967e27ab604628ee265098dfc5ba074e0be043aad1dcaaa187b32feb50494e765d33f7043dc40348c47ed71bb49d24777d0ad92f4dc946fb017e8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/220-1-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/220-2-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/220-0-0x0000000074B02000-0x0000000074B03000-memory.dmp

Filesize
4KB

Download
memory/220-22-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-8-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-18-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-23-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-24-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-25-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-26-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-27-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads