metamorpherrat | 19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037

General

Target

19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe
Size

78KB
MD5

6e4a9ddee87ef37ddb541436b6616950
SHA1

03fa8dbfe85a08bda3704ace8c4231dc76401fa6
SHA256

19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037
SHA512

b23532537c79589c8f62516253eeffaff340ef3855e697ec5c93ba3f89d639b7cf4c8b9b2fc290935d045b49c8e32753cfe0e69638f3cb5bd3b1dbffcf4385fa
SSDEEP

1536:MTy5jpAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6C9/61QM:cy5jpAtWDDILJLovbicqOq3o+nq9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2696	tmpCD3E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe
2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpCD3E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCD3E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe
Token: SeDebugPrivilege	2696	tmpCD3E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2332	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe	30
PID 2068 wrote to memory of 2332	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe	30
PID 2068 wrote to memory of 2332	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe	30
PID 2068 wrote to memory of 2332	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe	30
PID 2332 wrote to memory of 2300	2332	vbc.exe	33
PID 2332 wrote to memory of 2300	2332	vbc.exe	33
PID 2332 wrote to memory of 2300	2332	vbc.exe	33
PID 2332 wrote to memory of 2300	2332	vbc.exe	33
PID 2068 wrote to memory of 2696	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe	34
PID 2068 wrote to memory of 2696	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe	34
PID 2068 wrote to memory of 2696	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe	34
PID 2068 wrote to memory of 2696	2068	19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe	34

C:\Users\Admin\AppData\Local\Temp\19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe
"C:\Users\Admin\AppData\Local\Temp\19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ncpzq8fj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE85.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- C:\Users\Admin\AppData\Local\Temp\tmpCD3E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCD3E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19ba4b537d62ae3c977d29debec50de74275787963004138276593d5237c3037N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCE86.tmp

Filesize
1KB

MD5
ea0ddd1f38a3eb0b5ef52b90a52adce3

SHA1
420efb09c0c96e8b78864605e907e892dd669bf7

SHA256
55c33095126acb9888f5c9c463d23901c827a3778a4b72ac609d906531bf6f51

SHA512
f22ba326b638be3ec894e69234305480f42733e0dd92a4ab94c1aa5f0a8b225736ec45b81c860e3e12b80dea928ebc0b855fa62296967a9db90431b1bb2d6bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncpzq8fj.0.vb

Filesize
14KB

MD5
2165dd5957f42ead66c354a26318ba2f

SHA1
a867965af7cf7f91cf77fd8045547c7b471bfa29

SHA256
d2b6ab7e38dfcfaf35df80107576e4c2b6c528a06437e887e36b07248b3adae0

SHA512
e9287bd47a2479b955a6a2da9bdcb41f26858b777cf42cef0ddbb1d3b0717cc34999560f6dba037d537f6f95c93c1f0128f1748d178dd606fce90b4a5504ca79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncpzq8fj.cmdline

Filesize
266B

MD5
271b9e94593411329f9c9682c15f0a6d

SHA1
3461d037a5467daa1baec7b2a9d81748c92918bd

SHA256
87b2f3f353e855245699010c30bc57f524fa4ce7633fe7dee13be7e914c730bd

SHA512
ef4c5b8e8f3e0e344fc32dad44178c5ce6a74669c34558b43df5c24e9ce3e53e2b210df96080ee19b274ba4e662e8125493d0667d42b885c8dbb18fbad192aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD3E.tmp.exe

Filesize
78KB

MD5
d9f1334950d0ca45f1b1ce3458242892

SHA1
cfd0a16c447fab3069005e0db89f11674063284f

SHA256
e8e10c9d03ed38bc5829a18ac18a7b90c78a42cb7d51bf1363ecf5fd212df918

SHA512
a57bbfc713e3a250c8a29bed14d5d1edd4973e7149c5d134fe1d33819d2ccbfe2c2f8bf6f538e37fddf1f36e5d8b558d394158b7fbd0901074e505eff554c9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE85.tmp

Filesize
660B

MD5
5f298abc29b6eb17e2fb2c2627afa5bd

SHA1
003586b85b64582c5222eb565d13c4e89d81ff71

SHA256
13b48327bae77a203dab41473f4123c57382afd0a3aaf580e563adb75958d125

SHA512
06fead3ccdfe1a332521e1f2e9eedc06da46d774d09b3bb80e5bf20527d14c1b09d226e7e1a488961f9ab871ffeb5c4d28e20904e150e90ab8de6b61635c9694

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2068-0-0x0000000074361000-0x0000000074362000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2068-2-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2068-24-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-8-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-18-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads