metamorpherrat | 3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44

General

Target

3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Size

78KB
MD5

d1b0cbaad6725537e9d1dd41c4c5ea31
SHA1

7f5c4531fa1b3bf6b749dac24ea8e0c11d1b5e0d
SHA256

3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44
SHA512

dc478a735c33cb4563c401f6912250948e50754cb9e273f35c800d65c84a1d9cab6da14993174c32a2db40ffbd97c3332d74ceaa6d495b8052d0edbb681d5f87
SSDEEP

1536:zMCHF3uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/J1PY:4CHFP3ZAtWDDILJLovbicqOq3o+n89/U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2384	tmp90F9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp90F9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp90F9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Token: SeDebugPrivilege	2384	tmp90F9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2324	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	29
PID 2412 wrote to memory of 2324	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	29
PID 2412 wrote to memory of 2324	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	29
PID 2412 wrote to memory of 2324	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	29
PID 2324 wrote to memory of 2288	2324	vbc.exe	31
PID 2324 wrote to memory of 2288	2324	vbc.exe	31
PID 2324 wrote to memory of 2288	2324	vbc.exe	31
PID 2324 wrote to memory of 2288	2324	vbc.exe	31
PID 2412 wrote to memory of 2384	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	32
PID 2412 wrote to memory of 2384	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	32
PID 2412 wrote to memory of 2384	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	32
PID 2412 wrote to memory of 2384	2412	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	32

C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
"C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pl6dk0wg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9242.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9241.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- C:\Users\Admin\AppData\Local\Temp\tmp90F9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp90F9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9242.tmp

Filesize
1KB

MD5
5fee523e798fc750f1f42a3baa916155

SHA1
290f9bf9e67f3fd9802037a2e41cfa66dec5f5a8

SHA256
9595257cf55efbcb437d36a3b77ade734da8775703d56b283fd6a851e267f142

SHA512
fd89eb7b50ae71751cdc0baea9d62bdc36d6b38f141de9cf0610ef5e378efda992fe13dff4f5648f21372ec27e167e15f8520e6d69ad281b2bc9110f4b0f8b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl6dk0wg.0.vb

Filesize
15KB

MD5
6dcde4cb1234c0787cda5fa974f55df5

SHA1
464370e182d86d53382f209d4262516f7753721f

SHA256
1371a46fac2731f8b321d9d7e7a706497b830c62a136bec4ef90089f2fb154f5

SHA512
1b4efbdffbe70c0782e2af320f82dee96fcbcaec0c6caf6c5edf66e4eb826b43215b904e268dfab949d9db0e1d2b6cf0f81b3f7a092085c3e64f7cb83e9b349e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl6dk0wg.cmdline

Filesize
266B

MD5
2bd2e20d778e7ff7ecaff61fb57285bb

SHA1
750746e66500cd1ce34e1b2576ceb43a90bbb7d3

SHA256
8ea17f1127b22a4b41b53db1fee339f842ef75afb3d0279b004d5cacc1c50226

SHA512
9beeadfa9d2bea4b3c9254ddd1dc857e7143cadb996216db9786e90f96983d0592e71699360bf7d499193d693031d85e6f46665c7ffa1ac06e28020f0037c46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90F9.tmp.exe

Filesize
78KB

MD5
f7e8cd41c26dd455fee120fa427634de

SHA1
2d4716080222107e1f9ee9df1f044e35291d696a

SHA256
8bbcafdf1b4ae050100851a5e08e7969088883188750adc087f79ceefd11f028

SHA512
b994ec5782a29796bde0a5509927bdc157dba73fa864fbab68da039241c521c142cb7b1c03e67eb50314164a9840f73b8a6c855315feb2266250c17ed0978095

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9241.tmp

Filesize
660B

MD5
4b794d2570ba1d0c85ab8f23b9bdeec5

SHA1
783156a8f8274de1895ff15fa35b616a018ef743

SHA256
63b7db6a03aac2299f35eb5a1aed701bdd21ea2259441fbd91a9c81a05c21cac

SHA512
20a1040881ca54b6ad10b2365978b3ce7aca480573c411b72f1b0c33a3cd5a3f1ba30609df6df1da2aaa74624ff188103b965d052bdca20d06dd5d81095faf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2324-8-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-18-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-0-0x0000000074861000-0x0000000074862000-memory.dmp

Filesize
4KB

Download
memory/2412-1-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-2-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-24-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads