metamorpherrat | 2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5d

General

Target

2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
Size

78KB
MD5

835e65b1480a66868a104d77b9c4ef30
SHA1

3101e4fba324264700712ab7f182135e9afb4865
SHA256

2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5d
SHA512

81ba04f163250178724093a3105f1483947285ce8bd368cc43112f65a6ba84d067f3dec94fa54cd4f60477648ad48c2a6a75edf06a6c16524c73cb21a87d9afb
SSDEEP

1536:9Ty58xAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6Y9/yj1FD:hy58xAtWDDILJLovbicqOq3o+nQ9/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2196	tmpE743.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	tmpE743.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE743.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE743.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
Token: SeDebugPrivilege	2196	tmpE743.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2292	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	30
PID 1968 wrote to memory of 2292	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	30
PID 1968 wrote to memory of 2292	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	30
PID 1968 wrote to memory of 2292	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	30
PID 2292 wrote to memory of 2572	2292	vbc.exe	32
PID 2292 wrote to memory of 2572	2292	vbc.exe	32
PID 2292 wrote to memory of 2572	2292	vbc.exe	32
PID 2292 wrote to memory of 2572	2292	vbc.exe	32
PID 1968 wrote to memory of 2196	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	33
PID 1968 wrote to memory of 2196	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	33
PID 1968 wrote to memory of 2196	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	33
PID 1968 wrote to memory of 2196	1968	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	33

C:\Users\Admin\AppData\Local\Temp\2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
"C:\Users\Admin\AppData\Local\Temp\2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w1ug4pny.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAAD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEAAE.tmp

Filesize
1KB

MD5
2e2508f1fe6f4856230319fbf4a25e9b

SHA1
c87cffe996409576dea314aefc05828a7be89fed

SHA256
d6ecd95a9263a165ff2e33bc7f7443e82ee8f80966b0e954474d2159376f4a9f

SHA512
b54714da540fcd6ec97db8531705a3d5689cc4d8d887973351ad5dda75976a57d586b6890f537b73f4191949225762681458b88a0368ec154481292b4ddec2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp.exe

Filesize
78KB

MD5
e56a961d1046ad264cdf1272951c0dbb

SHA1
1e81f44149c55bc7923109f287f0b9c6503adb9e

SHA256
ae38bbfa73210f039de9646c42641a96d56105b75edb09a00c97344bc9d153c6

SHA512
1caefcc2e4284a40d2b95e77324dbf6853695c8b1c9f885c2a8a03379f046e307f0201c29bfc2ce545d670a8cba284a2be45ace6568433d71c0201464fbd68db

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEAAD.tmp

Filesize
660B

MD5
329ea9fa4f68d4338af241681845f9aa

SHA1
b004e15839f4db293ae9dbecd946fc4d98e8e57b

SHA256
58ba4aa91698a3a3c2bf199cd9dda97fc9adfd3b7a61648cec9e5413296cc95e

SHA512
d52bf620a0e8242c5fe195c3ec6c24852ea4d791eaa2b21a5e9a061708e37369cf8651d58f6f1550f94e5d8cb9df9cd97d1315cf7c4893ad6f7f9fc4d3cbba11

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1ug4pny.0.vb

Filesize
14KB

MD5
ade52616cb56edb79704ac4b22fcc2ca

SHA1
0ef55bc59f265018b854ab1e264683626ac59e97

SHA256
b40100bb1bd5b51d6951933393027f479147af15bc5a4aba9b69169bf53573e1

SHA512
9546abf9a3285477f2a40012b331c3f86be949b880c1349e9a147ab01de1a4531dbbd246fa03b3ecd5dc0c9f63278e5580b1a6c48498e8d133ad843e70335d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1ug4pny.cmdline

Filesize
266B

MD5
5fca6231da8bdf7555855371734f7bc3

SHA1
ed24fce149cf5f82dc0993fc8dd7381bd92f1502

SHA256
7c8ff127d9cabd49ed3f5cbd2fee767ebd1b12b4b6ca1cf9153759f39190d1ba

SHA512
731424b4bd5bb67db78a51a886ed56241997378b96693532cd20f5846e905f9f00f82ee10b282fcc151e7b149c80b5e198eba6cf87bea04fd56e7bdfddb9ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1968-0-0x00000000744E1000-0x00000000744E2000-memory.dmp

Filesize
4KB

Download
memory/1968-1-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-2-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-24-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-8-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-18-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads