metamorpherrat | 1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23

General

Target

1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Size

78KB
MD5

0f7e81c8e85ecc5e06934e2b362ae9a0
SHA1

930d1bb4494cb62247087c044f005284ba42f928
SHA256

1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23
SHA512

aee28c59c6192e95d7acdd2f9669a45d6153e4960f831deb23c0bc01562205049abf6d30ed0fd16809cae01033a6b0425101e14ab848867fd07a538c74048e8f
SSDEEP

1536:WVe5jNAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6cC9/d1rL:8e5jNAtWDDILJLovbicqOq3o+ns9/n

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe

Deletes itself 1 IoCs

pid	Process
3288	tmp831A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3288	tmp831A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp831A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp831A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
Token: SeDebugPrivilege	3288	tmp831A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4104	2360	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	84
PID 2360 wrote to memory of 4104	2360	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	84
PID 2360 wrote to memory of 4104	2360	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	84
PID 4104 wrote to memory of 4020	4104	vbc.exe	86
PID 4104 wrote to memory of 4020	4104	vbc.exe	86
PID 4104 wrote to memory of 4020	4104	vbc.exe	86
PID 2360 wrote to memory of 3288	2360	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	90
PID 2360 wrote to memory of 3288	2360	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	90
PID 2360 wrote to memory of 3288	2360	1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe	90

C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
"C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ittlv4ab.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8482.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD15509F4B3444F9C145C391DFCFB4F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4020
- C:\Users\Admin\AppData\Local\Temp\tmp831A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp831A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1fd3ffb9a8efba8327a59e3fb2739f9ed312118e8d631abeaa4b444fd990fe23N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8482.tmp

Filesize
1KB

MD5
9f9dc729886412b7deb9849ffde03a1d

SHA1
155fee46268b9ec24416d71ff0cf6339e1a2235d

SHA256
35703f56165e66af368798383d38eeab10525c5ad7641af10f8ec5c92c89267d

SHA512
c78782b81d79ac5ab3c83d51bc33f64d37702d769706c6f83838811bd58e4e61c9d73ec48d74245299a16a9eb8ff1fd17333adb8bb914c3987002887760f7fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ittlv4ab.0.vb

Filesize
14KB

MD5
6aa5db3c7f7bd46f334d752343554328

SHA1
eda69961e57677fd713e27f1fb92c58d4de05b9f

SHA256
f3b142b0bc3485373f32a5cba309a7a5a0b6edd78a68a49c618a1f1e809f140f

SHA512
11e97e6ee84ba86cfb46694cf1c4503ee5c3b3068b44aa6c11323d3f73f1d508b863ac17b8a698fec16488e4bdf8b5745f529cd22dd5a116e63372c2826add67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ittlv4ab.cmdline

Filesize
266B

MD5
1263997a4c214bdf91c371cdd75f2c56

SHA1
b4d9f65bc465196fd68bab51619d487e6c9fed96

SHA256
8d03a8ca7d7e687c000169db2978f4f7ee60384828e9f4471ba57f2559050701

SHA512
0999a10d5256496a9e1f7243bd1885596f6a596c7aa71821bcffe4d005c3370611dc430657d0bfb3fd12d1e7204aa5e04fd3ecb4501284cdd2b079fba0aec131

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp831A.tmp.exe

Filesize
78KB

MD5
6a9bb648fb34f195fa700e42f8593c8a

SHA1
233c143fb3fd126059aeb427f14a8168e2377df7

SHA256
4111cbd01e3d6a4d18d5e80d8126cbc5835f27941a20eb32ccb08bd8cf3ca488

SHA512
1842134ddb4c9a04dbb482ef29c906de77bf40ba1ec06b87295c77dd1d392571124b7872f5467cbf537e2dce360993d0c8bbc298078229b98dd8e5c19c231b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD15509F4B3444F9C145C391DFCFB4F.TMP

Filesize
660B

MD5
104b72f163e2cffe1e5adaf6205f09da

SHA1
e89918bff018d1de18dc414b7dadb0dced738a1a

SHA256
d8d3326b3a3c8ef80381013e9b9c243b97652d19aa015742c5ce2eed540f3f70

SHA512
98dfd603e8ac1fd1016537e9abc34eb535401a65f112321cba32b3a57957b399800a53c745f363b64771d5bf0c99e402a3dc5b43d34142ba6c9dcba84e48d988

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2360-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2360-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2360-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/2360-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3288-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3288-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3288-25-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3288-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3288-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4104-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4104-9-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads