metamorpherrat | 1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23

General

Target

1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Size

78KB
MD5

0f7e81c8e85ecc5e06934e2b362ae9a0
SHA1

930d1bb4494cb62247087c044f005284ba42f928
SHA256

1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23
SHA512

aee28c59c6192e95d7acdd2f9669a45d6153e4960f831deb23c0bc01562205049abf6d30ed0fd16809cae01033a6b0425101e14ab848867fd07a538c74048e8f
SSDEEP

1536:WVe5jNAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6cC9/d1rL:8e5jNAtWDDILJLovbicqOq3o+ns9/n

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2864	tmpE540.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE540.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE540.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Token: SeDebugPrivilege	2864	tmpE540.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2896	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	30
PID 2244 wrote to memory of 2896	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	30
PID 2244 wrote to memory of 2896	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	30
PID 2244 wrote to memory of 2896	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	30
PID 2896 wrote to memory of 2204	2896	vbc.exe	32
PID 2896 wrote to memory of 2204	2896	vbc.exe	32
PID 2896 wrote to memory of 2204	2896	vbc.exe	32
PID 2896 wrote to memory of 2204	2896	vbc.exe	32
PID 2244 wrote to memory of 2864	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	33
PID 2244 wrote to memory of 2864	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	33
PID 2244 wrote to memory of 2864	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	33
PID 2244 wrote to memory of 2864	2244	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	33

C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
"C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2xpekkcq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE928.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE927.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- C:\Users\Admin\AppData\Local\Temp\tmpE540.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE540.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2xpekkcq.0.vb

Filesize
14KB

MD5
bf2dacc532ebbe6ab944006429c8e1af

SHA1
734e8cdba6c9631b3b02e745743c4b98c9eca4f4

SHA256
7ca5a15614fc6bb74c455880589cb6380d03efa6b47a4f5fb25fcd5daae1cd27

SHA512
be91e15c0ff49c28da97064c1462ca24ba294a32ae647474c460abb5905434562def5eecd7495984cecfa909c9493cccc4b37d1a992393ad43925eafeaa89e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\2xpekkcq.cmdline

Filesize
266B

MD5
0ed4bef2c2ab00b64656875c98e8935d

SHA1
a5368316b1e914537d5180b9ab80578b59799bf4

SHA256
e4ed52e9467c8acb28b231a74018b60e07b5cb6dedfe5a88c09116e209bbc829

SHA512
caab5deeb2d2b512589665ea2d7b3c4d3a5ebc25bf87cd0fef28fc4a9a7bfe08f6046f8ce5e3f0e9add573bcdea7e7a8f56606b5c328a376ed6bc8a56462e011

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE928.tmp

Filesize
1KB

MD5
1d2cde99ae1d31bb45d3f14269f446ed

SHA1
1df2d12eaa3aac1809126cfffdba84a67838c09c

SHA256
74ac82873b596a5a286ee32c86269d59a7966c4df0f72d130eb4bff0c41d6c3d

SHA512
8f5437a72bea5787bfe8e4dfab9c334a0923696e5622474e6c1020a071ce520ab2798898597f56741b57b596887104d948888934cf288f9a412886a29d1e78b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE540.tmp.exe

Filesize
78KB

MD5
9fe3773809368aa9d21d2e6c5a76d8fe

SHA1
53d472d3ee92145c6d1db55c39a62cbaedd1b46b

SHA256
977f0a984541c53aececf8df1f2cab945250424bb54837cbc831edb683b2a285

SHA512
e06991d81a6f22bfeabf8c3629d673d7c10ecbc40c6b041269a19a679630db9a63c64618c58128ff81161375f68c5e9e243d4345145547db88986dd8fd10113b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE927.tmp

Filesize
660B

MD5
5df204b809ca7b08bb2a26681403b55c

SHA1
d9cfc2df1255e93b2ec87cda2bd9560dc1a12154

SHA256
adebcf4323f6004152e0b9dd188c7248e58691c830431632c17e6c5da17d813b

SHA512
18f8ed0501df33da4a62fb44135ec35269aed45a61e00fa3dff872556e99abfe459731ae8b32b95a721d3ea657eb266ff839abc2d328e429d10bfcf3b41506d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2244-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads