metamorpherrat | 87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9

General

Target

87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe
Size

78KB
MD5

cfcf6110dc1037ebd8abd3501683d150
SHA1

4122722b2d5c2e47ad558b6cb68c49b762790639
SHA256

87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9
SHA512

7fcb97782fd912d4923d70bc5a0f2ddfe9a422d59303d696566986745addc5253ff46944bd08169f86798e8de0daf75224a4d01fcd52915429e8ec6aed72d94b
SSDEEP

1536:KcV58xAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti699/x17q:/V58xAtWDDILJLovbicqOq3o+nl9/S

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2688	tmpB941.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe
2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpB941.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB941.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe
Token: SeDebugPrivilege	2688	tmpB941.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2088	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe	30
PID 2384 wrote to memory of 2088	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe	30
PID 2384 wrote to memory of 2088	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe	30
PID 2384 wrote to memory of 2088	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe	30
PID 2088 wrote to memory of 2084	2088	vbc.exe	32
PID 2088 wrote to memory of 2084	2088	vbc.exe	32
PID 2088 wrote to memory of 2084	2088	vbc.exe	32
PID 2088 wrote to memory of 2084	2088	vbc.exe	32
PID 2384 wrote to memory of 2688	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe	33
PID 2384 wrote to memory of 2688	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe	33
PID 2384 wrote to memory of 2688	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe	33
PID 2384 wrote to memory of 2688	2384	87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe	33

C:\Users\Admin\AppData\Local\Temp\87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe
"C:\Users\Admin\AppData\Local\Temp\87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gjkfsmow.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA0C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- C:\Users\Admin\AppData\Local\Temp\tmpB941.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB941.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87cb00d95b5d5c7198419e60dad3383afb3ba96242de5a81279d04ca66661fd9N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBA0D.tmp

Filesize
1KB

MD5
876d3bad4439a3c9e7f04a2fad0f96f2

SHA1
ff94e047da5ecceee20d4437c20b35f18f6149e3

SHA256
8e274a9effbb3e025524f8014c2c3617a4f36f6616fb034e886f6f9fb5444a3b

SHA512
73335825bc733c7380f60f998c937ea4bc18f591cb0cd67396e100bc2d80affe9a24542e396cf92feaaf9ee3b4fc5d3153f3ca81d52810161c5744f737e50fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjkfsmow.0.vb

Filesize
14KB

MD5
6c219aeff7fbe12a757c2f4d0ac4d656

SHA1
252bf3bc213154bad7f707c3cb8af8e66832d3d5

SHA256
60bf401a6c572c7a0bb68b83b4ebeda2549aa2a3ebd710ab3514d4ab7bb48f0e

SHA512
688f258099102b9a40964e3f0d354344d3883e8cb7e874c37f64f163a44f34dec3a3eec1be8fda455ea2a229723580a7abf773d0eeacd27aa7c857d2bb2486fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjkfsmow.cmdline

Filesize
266B

MD5
8eaa512156da4809a846aa4b599ca7ad

SHA1
856be9692f3efdbd1469df74bf71da1aa2c688fc

SHA256
d516ce25e5a27b319f4582193acd41cc7e4c381e57c536b27681876beba294c8

SHA512
07b3d867fd0e54336a664d5cb83083c61f7dc75bb48cddad427507683b3e05b07c5a2950cee8d3eee120b797c0b2f86f292c4eeb2469878c71cb04d016ba959b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB941.tmp.exe

Filesize
78KB

MD5
15633b4fcc9d31d05425239ef6037f8d

SHA1
48cf712bec39fe2af04547ce151dc1e12f93484e

SHA256
c91da7e7d0dbb8f32d67b83caf09c98b1ff83d4a7f12028cfdeee40f87461de7

SHA512
1251f1b7acca3526cd646c39d468a424fedae128bfcf4f67785ae5265265ca10d326249bea3359e21b62fed6e86dcd1dce8677d3b6e69f1cb3baa2b4f4ff0555

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA0C.tmp

Filesize
660B

MD5
72a042b46acef97516e72acd5b0c206c

SHA1
3e85ac0ea9187d526b4c59094bd7dfccf56cf03c

SHA256
b124b485053642a86e26d8f35d740c7d45225847a549748759d420dda6a23078

SHA512
bf7fc4c93bdef42b0d96b78e1a8c72a7a3cc854de5cac22156d1981de014ae6d17645d26570a909672840a06440d073eef6345b6f5492fee385781a3fae8c39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2088-8-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-18-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-0-0x0000000074DD1000-0x0000000074DD2000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-2-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-24-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads