metamorpherrat | e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0

General

Target

e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
Size

78KB
MD5

01bfd73e71d195804e870481cd09be83
SHA1

cbca8b71bb31b755363efc9f538ec3047d8802a8
SHA256

e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0
SHA512

d98594e5f6ca7015ac4300366d1be20fee4f9001a0d4ba8ff7f2c87f5d2a1e84396e2f011502abd58f1a4a64546ceb5010aec207ed1486c2f2b47abf3b46989b
SSDEEP

1536:9ouHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMl9/N1nN:iuH/3ZAtWDDILJLovbicqOq3o+nMl9/t

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe

Executes dropped EXE 1 IoCs

pid	Process
1388	tmp805B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp805B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp805B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
Token: SeDebugPrivilege	1388	tmp805B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2028	2568	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	82
PID 2568 wrote to memory of 2028	2568	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	82
PID 2568 wrote to memory of 2028	2568	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	82
PID 2028 wrote to memory of 3148	2028	vbc.exe	84
PID 2028 wrote to memory of 3148	2028	vbc.exe	84
PID 2028 wrote to memory of 3148	2028	vbc.exe	84
PID 2568 wrote to memory of 1388	2568	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	85
PID 2568 wrote to memory of 1388	2568	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	85
PID 2568 wrote to memory of 1388	2568	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	85

C:\Users\Admin\AppData\Local\Temp\e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
"C:\Users\Admin\AppData\Local\Temp\e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9xdfji9w.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8174.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F4ED66BF62F41E4A19182DC6599B82.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3148
- C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9xdfji9w.0.vb

Filesize
15KB

MD5
1ec590f1ed876b9c4f4addaf6f538518

SHA1
e301d1970dc6bdc2778d78c13ae00b5d676b7417

SHA256
b0396d14552602db711a15aa5d97ba0eca89326bdada7738d177dd2c922b0982

SHA512
b1beb6c2f0b290cb995a0cc1e967faa13174bfab25a839f9c448c9366275f2b081847b1c42b1419a67bdb1ee8482179337ba233634b4aecfde42660681c9503e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9xdfji9w.cmdline

Filesize
266B

MD5
408a661f8c7a5d57b84ac7b8b60b6b9e

SHA1
4997b2c81406a997cd426d5b0cf9ee7d763686a1

SHA256
3cf1e66ab9f6eb22a3532257c818ee2c5e4bbdee464408b14b7d791b0ab36c9e

SHA512
52a6843cea7941959e3c467c03ecaf68bbac9f3a405122f4f804b40357e88bc4e23bbe641fea46da87620684dc315e76486c3c73a687d7010fcf7efdeea4d43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8174.tmp

Filesize
1KB

MD5
c0b43896cfb1883f7793114a6cc18874

SHA1
e8db8a3b9da295fce96e6b4cafc08e2ecba83c5b

SHA256
e12c687ab9e3bca58ad003b33bf7d3ab8f6b3017dd1cccb72b2a16225ed49911

SHA512
68169100b66a95f0b63849f9ee7c16a95bd99a469a29837c12e5f7c02298f7c793d998d6103a45d472ed334fa01c1269cb641a7c0c3eedd6bed8a89853d056d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe

Filesize
78KB

MD5
d58be808ae04c676d5d6d8ff21e89cdf

SHA1
5c60650f3d5c8c237b83b3d54ab6eb13c01e2761

SHA256
41548fc130097bda10e0887b8ede9ca0e58dccbb0f26c1aaff02338ad73a4aca

SHA512
0cc6e40b1be4a6206fa380c5cb4604b450646e4b7ec82c15699dafb1bd097236d7211437cdb465b856ac043031cd0db5a24f140b834dbbfe057656279a50fc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8F4ED66BF62F41E4A19182DC6599B82.TMP

Filesize
660B

MD5
8b4f6e3c5ec87cd97cc24f022242f950

SHA1
4c062b85cbd269fe482f1249ff09d8bdf39a2f39

SHA256
fab93703b93f687b598cca0e4c1cfa305d5d5ae12c60cc948e95936c66f575a7

SHA512
c0ece332135c75ffb0128a6d7f53effb3edc45802c0e8bcf0106d7f109bbfb1ed74c28c511023ab982cbf2e8225083e43245d9c66fa80170e9c86a560a52b0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1388-23-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1388-24-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1388-25-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1388-26-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1388-27-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/2028-8-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/2028-18-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/2568-2-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/2568-1-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/2568-22-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/2568-0-0x0000000074A92000-0x0000000074A93000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads