metamorpherrat | f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115f

General

Target

f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Size

78KB
MD5

0e6596b3209273042786b0da91593250
SHA1

f4dfbe814f931ec000ece9d9d390e21491815949
SHA256

f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115f
SHA512

83a4e62690553d09cab50c6c8fac07d80d377f9875c51e71ae563e24d6fa066e8af64a8cf1469418f7849d756977eba9475390270ff8acdf36588d339addd943
SSDEEP

1536:8A5jSAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6Y9/D1Wv:Z5jSAtWDDILJLovbicqOq3o+nw9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	tmp7947.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7947.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7947.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Token: SeDebugPrivilege	1956	tmp7947.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 1476	4212	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	85
PID 4212 wrote to memory of 1476	4212	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	85
PID 4212 wrote to memory of 1476	4212	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	85
PID 1476 wrote to memory of 1512	1476	vbc.exe	88
PID 1476 wrote to memory of 1512	1476	vbc.exe	88
PID 1476 wrote to memory of 1512	1476	vbc.exe	88
PID 4212 wrote to memory of 1956	4212	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	90
PID 4212 wrote to memory of 1956	4212	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	90
PID 4212 wrote to memory of 1956	4212	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	90

C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
"C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\km8yukqg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3F0359E36AF4551B5632CB58721BCC0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- C:\Users\Admin\AppData\Local\Temp\tmp7947.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7947.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7A7F.tmp

Filesize
1KB

MD5
eb9c8598279737a1608cffd380a7e376

SHA1
135db23d60e778b7da8f645791ff09c055e9e00b

SHA256
c1a6c3551e5e8828b57cea43931157df780335262e6e58b6b6e77e53d04ef222

SHA512
e7699676237234bdbea9c17adf3c3b93f67599d115fa3199974602c38474580a682ba49f63b3618a06469c6c9388f7c911707f3ead9d57cb22fe9efbdfb3f111

Download Submit
C:\Users\Admin\AppData\Local\Temp\km8yukqg.0.vb

Filesize
14KB

MD5
21a10271e9d0ddda35f229113e369ad9

SHA1
1081955cbc29cdc5b30c15649d4cadf0bc25fd0b

SHA256
5af4434fb24a6013113761b680e445df0f6771dc303d103f421d966a42a278a2

SHA512
220961a09d65e92b1e27f0acdf8b64b1f42201b505f34140b5c77ca45c80ca57053c1ba95583c395c246e9cf8027bb24792aeac655e961317795daff83072fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\km8yukqg.cmdline

Filesize
266B

MD5
0f00f5d4d8a2b07eec581e21f2d96319

SHA1
da4e8586dfce94e88274b5c6e388c2373143767e

SHA256
b7dad3e9b7b60061c6c042d7b609d89f8d662fd66dedcbb17f18d2bc92b66339

SHA512
456dd23ca1502936c32035c6e28eb956d7652d389d8b15156fcf8292728d03b146f0021da281577cefdc29b2ebfcad20a71bff33f957aca976a6daf769bc95b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7947.tmp.exe

Filesize
78KB

MD5
d384a38c6a4abb5b722490656cc1f797

SHA1
48f96922f64bffb720f59c3e24f14fa2e88b45c8

SHA256
be6396a2111a48cb232158af460e4628caef02f8033deb6718b1578cc6fef9db

SHA512
b5bd62564c4c40241952cfcaf2dd7ad241286b3ac6e9751a42ae76b57d819977f916365066ef1f4529cede841dee2771c5d9f6bd31baa35a3c9fe931f9c2fc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA3F0359E36AF4551B5632CB58721BCC0.TMP

Filesize
660B

MD5
da1483d40663b928e7604cf11bd32f27

SHA1
4ed6fd0ac779e5b450d984394335c91f78ff6e1e

SHA256
ebdae8099b01c3fa5ee25fa68d138246875c2596689f742f96d54ff8335c21eb

SHA512
fe3467a08ee8058f77692c24ee12ee808e0c2976bc259202cb4e278427d542b4c4125c59cb80eba317f5452274d435eabf6167073e104e4d4de1ca53d1230bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1476-8-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1476-18-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1956-23-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1956-24-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1956-25-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1956-26-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1956-27-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4212-0-0x0000000074832000-0x0000000074833000-memory.dmp

Filesize
4KB

Download
memory/4212-2-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4212-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4212-22-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads