metamorpherrat | f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130

General

Target

f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe
Size

78KB
MD5

29ea37b8758282431d7474edb80da6f0
SHA1

726e403e5e918d6dd189d49d16dba9865af3f2b9
SHA256

f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130
SHA512

c17bb1d80d5bd7fb071b6c7d66a7c378ae2901ea5bf3f2de7a957a2e291a5922ef484b7842e0980956b2a3a96c746f1c86988193ce8404ddad9dcaef5f2d518d
SSDEEP

1536:LmWtHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLP9/3:aWtHFoI3ZAtWDDILJLovbicqOq3o+nLF

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe

Deletes itself 1 IoCs

pid	Process
2164	tmpA170.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2164	tmpA170.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpA170.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA170.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe
Token: SeDebugPrivilege	2164	tmpA170.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2980	2212	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe	84
PID 2212 wrote to memory of 2980	2212	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe	84
PID 2212 wrote to memory of 2980	2212	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe	84
PID 2980 wrote to memory of 1536	2980	vbc.exe	86
PID 2980 wrote to memory of 1536	2980	vbc.exe	86
PID 2980 wrote to memory of 1536	2980	vbc.exe	86
PID 2212 wrote to memory of 2164	2212	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe	88
PID 2212 wrote to memory of 2164	2212	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe	88
PID 2212 wrote to memory of 2164	2212	f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe	88

C:\Users\Admin\AppData\Local\Temp\f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe
"C:\Users\Admin\AppData\Local\Temp\f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gxxtphq8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA354.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCE37C297E5449EB9E541B4C98804C48.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
- C:\Users\Admin\AppData\Local\Temp\tmpA170.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA170.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f7316c1b376ec7f9b6b06b81d05c0d4e8234657f9e304644777b899c593a8130N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA354.tmp

Filesize
1KB

MD5
962022e5238c4cf19098051570b81975

SHA1
6fdf700056b8e4d3c42e9ea707d7a17e55e7f2b5

SHA256
b33e8763779a8fbb31957838af626a543a3d81cf1510f59f46b69bfdc87cf489

SHA512
bca1b1e2d2d8687c83086fac3cb8eb06701691ca9a76b3b5fa21bcfe8878c3d99bd97259ce68909b8fafae31e2c3663b6c45f5431c8563ef734e2b019b26f832

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxxtphq8.0.vb

Filesize
15KB

MD5
b1053914ed851682e8e1cd14730092fc

SHA1
f516defff8f324257165b5bfc558bbd3d3493954

SHA256
0a2df804398537c1cf2e617d5dc180e1586e8c6076dae30cdb71b55453bc71ef

SHA512
bb1d14c3c8eb47e278a06fd4af2c49258ab24fcc0a7663506570837f13eecbf8f3d9c80e0a1405c21934232d7388732137deb4417fbed7e9e2072f9ab5896c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxxtphq8.cmdline

Filesize
266B

MD5
52447d9ca851fdaafc78bc84efbf73c4

SHA1
a46904074007c3eab5e83ca5fcd372c9ef53c7fc

SHA256
d7edc1979713653c3d679458d17b3e5081e2f93fed6496fc43e4becd81b39ba4

SHA512
31d994c99c4947b641d4109cf299868fda16fe16b56d9aa105484c0426718fb59bc4031fe653fa5cbf43a5bc98fe6c37efcbebdf8151112666d8ae0551655394

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA170.tmp.exe

Filesize
78KB

MD5
e2868c9cf6f2cb9ccba36aa9256b6b13

SHA1
e4c8ec46195c7bb916e1f5a855a5646242dd9965

SHA256
8fcb055bfdedcea6a00d250b82b09dd1387b1e5d07ac7d1220df827f489143d5

SHA512
3eec05aa8793cd8a767fe07cb0c90a36b1475d47c5917e17bec6f500ce1da36e9b41e42acabcc95284ff3a70e7fcc6ec8e416b90a77db8389fb267c7cd283976

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCCE37C297E5449EB9E541B4C98804C48.TMP

Filesize
660B

MD5
3a19116d572f52a70e5c168f9be0ce9f

SHA1
955c0b40bfacbb0e9663ffc1e339e63310db437b

SHA256
70d8290e3248c1d673be05d10e6e795ecdecc2ce99dd3c4288ee3f654d00a590

SHA512
3ad1a0b20273e10d0469f7a48f221c155b5b319ca71210201e465f97e9e65bf18e9bdb3cffd8bba2cd352da6568a52829a794508f49ddb21cb13034ce9e79f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2164-25-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2164-23-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2164-24-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2164-26-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2164-27-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2164-28-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2212-0-0x0000000074712000-0x0000000074713000-memory.dmp

Filesize
4KB

Download
memory/2212-21-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2212-1-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2212-2-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2980-18-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2980-13-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads