metamorpherrat | 1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23

General

Target

1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Size

78KB
MD5

0f7e81c8e85ecc5e06934e2b362ae9a0
SHA1

930d1bb4494cb62247087c044f005284ba42f928
SHA256

1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23
SHA512

aee28c59c6192e95d7acdd2f9669a45d6153e4960f831deb23c0bc01562205049abf6d30ed0fd16809cae01033a6b0425101e14ab848867fd07a538c74048e8f
SSDEEP

1536:WVe5jNAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6cC9/d1rL:8e5jNAtWDDILJLovbicqOq3o+ns9/n

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	tmp6987.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp6987.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6987.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Token: SeDebugPrivilege	2124	tmp6987.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 2944	3448	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	85
PID 3448 wrote to memory of 2944	3448	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	85
PID 3448 wrote to memory of 2944	3448	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	85
PID 2944 wrote to memory of 3884	2944	vbc.exe	88
PID 2944 wrote to memory of 3884	2944	vbc.exe	88
PID 2944 wrote to memory of 3884	2944	vbc.exe	88
PID 3448 wrote to memory of 2124	3448	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	90
PID 3448 wrote to memory of 2124	3448	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	90
PID 3448 wrote to memory of 2124	3448	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	90

C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
"C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7aspvfa9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AD0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71FB0E10644F4EF3AFFEADC2610D38E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3884
- C:\Users\Admin\AppData\Local\Temp\tmp6987.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6987.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7aspvfa9.0.vb

Filesize
14KB

MD5
10e80e6a79e94cbab95e62441c2f6294

SHA1
a6dfae3d606bcfec0a0718fb61975bcf8b4bb492

SHA256
e8d58c724cabc990372b1c6527903205980cc811c9d7b9b95c41dddf480026b0

SHA512
0078e25e559b583ebf4a2cbc01c32a9907d88db8644d464258622d86f1deef6fd94b3a112913db557583f915b67f79a25419cab75fed9d7f8d1ad535d480132c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aspvfa9.cmdline

Filesize
266B

MD5
6079d6ee7c3730e56c6b2703aaee4254

SHA1
584492fbde30b84266613912ea6200029710fafa

SHA256
4f6fb55ab9a15592cf0a2be6e32e9be5225286c9f2428f02408f8e9919d481d1

SHA512
78ea68119cd520717996b500b78e9d72ac70219ff2c115a2a0be15cd88a16384f654d94a8790f567befe5f9ff333425efc8a16156bd611ba35f8204877016450

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6AD0.tmp

Filesize
1KB

MD5
67da8c38e9565769835bc57782609013

SHA1
5e60f49976b6882b9345777067a644f915170162

SHA256
6f1b2d18117069c65d530777590b5256d32f14ef075f7dff91f698ebae0347da

SHA512
b9f6936a3e50473d99459ad8de2e57adaf4ea1fd3d3189cac90078b10567560113df8fca182872b36b3c0781ba2d913e21c96653d49dd2ce8c8d8ba2185d008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6987.tmp.exe

Filesize
78KB

MD5
4fcbf34dc2ea7a5f566ee526dfa2e047

SHA1
4c957e024b2b0c3b283c26dc3a9ba1a627c2d63b

SHA256
3f50a15c32a5a0972db60fd8fdaafdf0782572e834fb766f78e4c2bb61df1fbf

SHA512
f25df97985273d142de4d6f39ab832f7926f27a15c68e50104ee6da66e9af392c6bc2ee730d19a66fda6ded85f248b0404e9d645be9a7457cf7a2f6f9f12e235

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc71FB0E10644F4EF3AFFEADC2610D38E.TMP

Filesize
660B

MD5
7dde66ef955630b14e141efdc2d373c6

SHA1
8e8901ac0d0b2daa5be5412d03e2bd17ccd3dd6b

SHA256
772d02441e5baf7fabceac7a9ab022e5885c542976fc916c2046288079a38a39

SHA512
8b19cccf8d08f9a21614a7f949ab37aa31c63aba4534f1363d01a06cb256ad58448d4252b0b943c67664b2cf9a48f485ad886cbce38d778c4968792b7ae30165

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2124-24-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-23-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-25-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-26-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-27-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-9-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-18-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3448-0-0x0000000074802000-0x0000000074803000-memory.dmp

Filesize
4KB

Download
memory/3448-1-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3448-22-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3448-2-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads