metamorpherrat | f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115f

General

Target

f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Size

78KB
MD5

0e6596b3209273042786b0da91593250
SHA1

f4dfbe814f931ec000ece9d9d390e21491815949
SHA256

f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115f
SHA512

83a4e62690553d09cab50c6c8fac07d80d377f9875c51e71ae563e24d6fa066e8af64a8cf1469418f7849d756977eba9475390270ff8acdf36588d339addd943
SSDEEP

1536:8A5jSAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6Y9/D1Wv:Z5jSAtWDDILJLovbicqOq3o+nw9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2684	tmpE418.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE418.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE418.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Token: SeDebugPrivilege	2684	tmpE418.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2952	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	31
PID 2544 wrote to memory of 2952	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	31
PID 2544 wrote to memory of 2952	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	31
PID 2544 wrote to memory of 2952	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	31
PID 2952 wrote to memory of 1960	2952	vbc.exe	33
PID 2952 wrote to memory of 1960	2952	vbc.exe	33
PID 2952 wrote to memory of 1960	2952	vbc.exe	33
PID 2952 wrote to memory of 1960	2952	vbc.exe	33
PID 2544 wrote to memory of 2684	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	34
PID 2544 wrote to memory of 2684	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	34
PID 2544 wrote to memory of 2684	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	34
PID 2544 wrote to memory of 2684	2544	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	34

C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
"C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wbzxgcjp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE513.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE512.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
- C:\Users\Admin\AppData\Local\Temp\tmpE418.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE418.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE513.tmp

Filesize
1KB

MD5
125ee2aef99f2b2654de46d2f9b3d961

SHA1
31fbed0e4e3a00f298d39e00f6bab052d14010d1

SHA256
8bd1e42e45b8ecb04f7e8ca9c0a0dada2bb3993509bd0380b7b538388e3ff368

SHA512
dbf8db925d38563621bcea3209d090d7145b9a0968f4781084089f31a3e4228801d5e94974a826608070bf6ed39085e9eab0440dcfeb73854e872fe2c4ac85fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE418.tmp.exe

Filesize
78KB

MD5
ec992298e3e4cea255cae42d74c5aa27

SHA1
a2507e8a3f1a57da994f050add45a5ab33df789b

SHA256
47c8c59ef9a8a358494e695961d12921ad9eb4f5c68308212b1b0a77fdcdb1b9

SHA512
d17a27554314656501728177d477bcd2657ac3da3e5680ea0d7affd3e32d3b1919967eff562f9f8ee395435008b19baff4c9b9c6092c1c9aaf58a288cb7a1607

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE512.tmp

Filesize
660B

MD5
8ff74cc8f3d8cac4e93339caf234e8f7

SHA1
9e12710bc5b87434d8d0e80a9bf16ecf00c362cc

SHA256
339527edd3c23e117c9dd4ffe329e88698424e673c50b0f17c0128dacd0b969e

SHA512
2871ec75c4fc5599b5b2b0632014d056c5d6381ab55d0f04f4266a0e52e540d65478696c9d67d604131baf22fa08f5cef851a69949a5623b2c4560c513aa9d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbzxgcjp.0.vb

Filesize
14KB

MD5
3f1176fa728d275786469fb14ebac573

SHA1
2addf92afa27569807c7b62d072f505c5355858a

SHA256
f70e651201a0023e964db08f4af2f4207625d5840d222041e70fd60f5ff0c62e

SHA512
e1fe179da45c17d69ca8a0c0183ebb774e05b6ce911068cc712ada167a76cdee18c4cdf1027310cfc6421f2008909dc8029ca2713c9cc2cc579f6151d05a6076

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbzxgcjp.cmdline

Filesize
266B

MD5
930107f339fcf90dcb098f42572b4761

SHA1
9b0083e3a523dc173972710ccbb70a90621d993e

SHA256
f1315e2ac41831e1e8490ad65296fb65a02816545ada69258af4c9f102832d07

SHA512
38f5d72ec067e6b439913deaee972678951ba5c2f93588af5685aea924634b3101c02db2f8f0a2fa3d70394b261b4bf1014263ca716032bbbd4f954d7960d5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2544-0-0x0000000074231000-0x0000000074232000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-2-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-24-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-8-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-18-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads