metamorpherrat | 903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965

General

Target

903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe
Size

78KB
MD5

6ee41d87f850fd8a6b9fb36c65c29e30
SHA1

74fef52fc86016b6305e420406310b52d20d0508
SHA256

903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965
SHA512

23e49194893bd59096b382289e0f7d31da762e91fd5afc95f9ed931cf6846db5827bed69324a3642941fd1aa6f2a402f01332090c34105c1b8bc82f2834d6f57
SSDEEP

1536:Uiy5jSuAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtM6w9/v1aM:ty5jSuAtWDDILJLovbicqOq3o+nO9/p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1900	tmpE263.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe
1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE263.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE263.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe
Token: SeDebugPrivilege	1900	tmpE263.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2480	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe	31
PID 1852 wrote to memory of 2480	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe	31
PID 1852 wrote to memory of 2480	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe	31
PID 1852 wrote to memory of 2480	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe	31
PID 2480 wrote to memory of 2248	2480	vbc.exe	33
PID 2480 wrote to memory of 2248	2480	vbc.exe	33
PID 2480 wrote to memory of 2248	2480	vbc.exe	33
PID 2480 wrote to memory of 2248	2480	vbc.exe	33
PID 1852 wrote to memory of 1900	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe	34
PID 1852 wrote to memory of 1900	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe	34
PID 1852 wrote to memory of 1900	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe	34
PID 1852 wrote to memory of 1900	1852	903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe	34

C:\Users\Admin\AppData\Local\Temp\903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe
"C:\Users\Admin\AppData\Local\Temp\903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bctxdbck.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2E0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp.exe" C:\Users\Admin\AppData\Local\Temp\903a496a5b8aff1a62ddd1d0a463dbbd394cfd6569f9eba2c13017d1cd515965N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE2E1.tmp

Filesize
1KB

MD5
d140623688f9682bf7cd99e6794e29f9

SHA1
ffa3801ee9e2220396d724ef1bd5031793cd6101

SHA256
f8dcab79d85ce4091fc8a756a45280d9f947cb7789d86b529d6e1140e8afca77

SHA512
9c2e75fdd75f54a6b2075972e0369523b151f8dfc8405964e7e06c3e6219fcbcb1cf6c1d3fe7719a320eac8578c1e566813df23b5fbd68104dd45bf233f982e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bctxdbck.0.vb

Filesize
14KB

MD5
4f9cf6ee95b54d50b5efe150354da46b

SHA1
4925d1b14d35458cd305df39276faa57a91fbda2

SHA256
a6645a40d3cdd622dcf08c8acfb32004517d862aab746bc5845bf88ee5c103a2

SHA512
5a067a081e54ebb61b2b0c2dec9eebfb6e3bbc753975ed8cb693c35c1b4011696f7f39420b9fc4fa30eee07f63dba7aba37b9d056a7911c470f42a98cc64fd96

Download Submit
C:\Users\Admin\AppData\Local\Temp\bctxdbck.cmdline

Filesize
266B

MD5
43c2fbaffcfc9533d3a8d9d2d73182b1

SHA1
75c1d6f62f66d3692214f2b53acaebf623649f26

SHA256
6cdb04b370e8a5ed36541b7c6f2312631c782706785379a050009c09929a7548

SHA512
190ab5c3645c2cde6b26152cf348fa4f14f456fdc9d86b18d33604100f528ab650fef54a81d7a5c24f2a38c0eb07a73822d9dae5225d22e5e89478802de995cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp.exe

Filesize
78KB

MD5
02dd486a059ef8b11a60e397bafc8c1e

SHA1
85269f61c05543df328fe013484ae98d45d4d9c6

SHA256
dc8a2bb3d097bf311bc915259f38f78f1d7b06b0d6fb7e080b4ca0d93a33ad76

SHA512
d969882f10d17ca0973817c7ba101c0b9e43b911a3dcd10c806e84b9d2a143959ffe9e587df29daee8757242c4fe7747f273ea6f92b2799a4b938bdacf27f579

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE2E0.tmp

Filesize
660B

MD5
7d7b876375f4c364efd224378da4765b

SHA1
b20ed550119477c59b3caffb05b57714bedd32cc

SHA256
28448006cab73c95d06d21fafcc79d11fdf4ca990ac2d18aad837b5ee90dd388

SHA512
2df8511c0bc6638b24653ca410cd44a365b4260b15cb10dffb0f414826293a4e03a51e1eb3538880239b809a63825d2155bd13873ee834b8b29ffc45a0691e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1852-0-0x0000000074381000-0x0000000074382000-memory.dmp

Filesize
4KB

Download
memory/1852-1-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1852-2-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1852-24-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-8-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-18-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads