metamorpherrat | f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115f

General

Target

f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Size

78KB
MD5

0e6596b3209273042786b0da91593250
SHA1

f4dfbe814f931ec000ece9d9d390e21491815949
SHA256

f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115f
SHA512

83a4e62690553d09cab50c6c8fac07d80d377f9875c51e71ae563e24d6fa066e8af64a8cf1469418f7849d756977eba9475390270ff8acdf36588d339addd943
SSDEEP

1536:8A5jSAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6Y9/D1Wv:Z5jSAtWDDILJLovbicqOq3o+nw9/y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2812	tmp9C5F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9C5F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9C5F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
Token: SeDebugPrivilege	2812	tmp9C5F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2064	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	30
PID 2420 wrote to memory of 2064	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	30
PID 2420 wrote to memory of 2064	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	30
PID 2420 wrote to memory of 2064	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	30
PID 2064 wrote to memory of 2276	2064	vbc.exe	32
PID 2064 wrote to memory of 2276	2064	vbc.exe	32
PID 2064 wrote to memory of 2276	2064	vbc.exe	32
PID 2064 wrote to memory of 2276	2064	vbc.exe	32
PID 2420 wrote to memory of 2812	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	33
PID 2420 wrote to memory of 2812	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	33
PID 2420 wrote to memory of 2812	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	33
PID 2420 wrote to memory of 2812	2420	f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe	33

C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
"C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k_w5nz1z.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D68.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- C:\Users\Admin\AppData\Local\Temp\tmp9C5F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9C5F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f32655f67e9a97e236f0e620cad0c6c777a8f53e724e3877ddfdea1c2480115fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9D69.tmp

Filesize
1KB

MD5
92a293d1c3f52cc22f2e6950228c1d7f

SHA1
7b05c8f67532560b93058d60ebfb46da38c3f8f3

SHA256
ac86300f86dd5d1d0488509fb6afc233abfa32a868d2b966c85362fac7ed12fc

SHA512
cbba97b84b5217187fb4cba93c673766cfac28b999aa099e253e257b958d03514f97f71301a9e8d44c8b56c3b7445e6e48573608bbf12829a1b06e7eed2b5fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\k_w5nz1z.0.vb

Filesize
14KB

MD5
cfead341eea02bf988daa84c313f5921

SHA1
d703de8374aec97417ab949260d258a2572ddc00

SHA256
719d2f889237c14a118aba3584832ae4364b5127175ad24a1cc811be692925bc

SHA512
84f70b37ba780d60be799498fe8d202fc5519ae3dfab52241a842acd22460626a0fcde24cbbf80ee4ad5b4e4114c7238886e4b7de185d899c90037f27e1973b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\k_w5nz1z.cmdline

Filesize
266B

MD5
2d34e0482b172eb93f6550e10fe7dedb

SHA1
8408d6f0cf04a75574e82426607777a550611323

SHA256
3c933a61e12dd73ffb8375602e48980358dee03e3a8e0b359662963bbced7e10

SHA512
4389da76352f8f3974b60b68d437d09908f9c3d258e45347ce85b857bcb11b0d929b6ff1e4719a4c6f3138f1621be775b035c0bb09858dcca221d13d93cd8bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C5F.tmp.exe

Filesize
78KB

MD5
2c5fa54547a97de3290d903d66068127

SHA1
95bf2fe238a032f097713c7f281d9cc2032a135d

SHA256
2c8182cc5df2cce2740882455b176f38e87db84aab99fd5461d7245d572637a3

SHA512
7a4444484a966d298d2309893471bcc10d4bd55cfc8307680ead82ff5bbfe77acf5d5dfc2e5db3383df85b5724c459315e8cd8ea8709e0abee9eee2fcd8341ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9D68.tmp

Filesize
660B

MD5
5ff3d0f64fc6f75c156806ee870fe87e

SHA1
f6625c9eb98ca3058f497c454efdad638a2a8922

SHA256
40ed73fee94882fc13c747910fefe2b2eea18ca463938e59530a062fcfc120c7

SHA512
86bff722deb05abdf5e4d57ce115b993955878550989ecf34faa8ba3433a3b8c30920261264f67cdf97e1a3fb427130ff1e820177ccac0775acdcbfd6298fe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2064-8-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2064-18-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-0-0x0000000074D11000-0x0000000074D12000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-2-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-24-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads