metamorpherrat | a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611

General

Target

a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Size

78KB
MD5

864d51ebd98fba435ff1c57c5696c760
SHA1

9420d56ef6166d7ab5306904e580d31d68d6aee0
SHA256

a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611
SHA512

3e8afbacf784128e168e3929f4f4a937276dd3e7098f46e2c44ff73b1232ef8b65ed0567285f65fb64b297549f9247deaf5234b3df0f4fbb9ea522f3294ebe72
SSDEEP

1536:bmCHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLa9/J1zk:KCH/3ZAtWDDILJLovbicqOq3o+nLa9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe

Deletes itself 1 IoCs

pid	Process
3604	tmpE436.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3604	tmpE436.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE436.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE436.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Token: SeDebugPrivilege	3604	tmpE436.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4364	1672	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe	84
PID 1672 wrote to memory of 4364	1672	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe	84
PID 1672 wrote to memory of 4364	1672	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe	84
PID 4364 wrote to memory of 1688	4364	vbc.exe	86
PID 4364 wrote to memory of 1688	4364	vbc.exe	86
PID 4364 wrote to memory of 1688	4364	vbc.exe	86
PID 1672 wrote to memory of 3604	1672	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe	90
PID 1672 wrote to memory of 3604	1672	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe	90
PID 1672 wrote to memory of 3604	1672	a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe	90

C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
"C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gntetq0o.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC233BAB39A3542F3BD61103AA1A52012.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- C:\Users\Admin\AppData\Local\Temp\tmpE436.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE436.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE5EB.tmp

Filesize
1KB

MD5
c365190369fd7b7a1d6099dbf91beedb

SHA1
6e1af1de5f444092a3274592313efae1b6d26d70

SHA256
4aa12d209bf799bfc796ae42982a1cf598cb21f987e3417d829706cac61576ce

SHA512
c613357cd594905f568a65bc32e2633a5dcdb76989c65c41251dfa3528881ebf4f93b6205c649a5784dc3ac7a9046e49de2ce8d48a9d8dcdf70950ee40b8be82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gntetq0o.0.vb

Filesize
15KB

MD5
394072c40df45e272090966178e74256

SHA1
dded5ab474d276463459d5c68a27c21142f4faea

SHA256
7489a28b4e4e869831c93ab8fafe43112f4d21dc36339caa0559720f93938cea

SHA512
81c19b7f545477757a6ab337f369d366d78a09b93c076a54a747083d95cb08320405d279bfac9212a03de9bbbd5db3086397da3ce7dbe7aa72b83efeb707a9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gntetq0o.cmdline

Filesize
266B

MD5
dd925124de60767e177f972677f4ba80

SHA1
a5880e9e161c8dbde4d96f70279971e775dc97d4

SHA256
a735e505f6aee97033b3b54e635ba01705ab642a4f5c1636fa9e4b4f4cf1a076

SHA512
343638b4049d2f740b401824bb2731ca547c3d5bb25619a8457b261cadb457f7e4c7646c0d81549bd1ee5fda13154efc950a3b411d415feb8fdeb09fd81a1e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE436.tmp.exe

Filesize
78KB

MD5
894b6944939db0e4d056016ffdf61804

SHA1
624eb5ab11c7d9839e702fe87851e8ed448b3713

SHA256
45dd1a70aed0de311f069d2a2c16b458c89195c362e29dd99e777cb49a2b7eee

SHA512
a46052845bb78f404d7376c67c85853aafa83f0d1a42a18667a15093273457e10a773fb80818079bc0bbbeff3b553849fdd6cabbd3e4ddea6b52503b250bc9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC233BAB39A3542F3BD61103AA1A52012.TMP

Filesize
660B

MD5
2ee55c409374c71f12e6df2b4cb6e80b

SHA1
24107e62536b8a9c82912752963e44ec7ef4c3e8

SHA256
889ce39606bcd0090f5c88bbbff92dc605a2277fb0e27fcd3b54113335cb1e6a

SHA512
577c83753e2f692b417806f24c7dd140f6e8c92855fa9be16e4d8992a33e6804f875393b687b460de535f6b161b516402f06a521ea2062e2b83f88be75f45493

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1672-1-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1672-0-0x0000000075232000-0x0000000075233000-memory.dmp

Filesize
4KB

Download
memory/1672-22-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1672-2-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-23-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-24-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-25-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-26-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-27-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4364-18-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4364-9-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads