metamorpherrat | aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcb

General

Target

aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
Size

78KB
MD5

442b7d8c2d93defb8f0fbde86cebf5a0
SHA1

36d14755c0bd7edf49b150975ca85efe7241d508
SHA256

aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcb
SHA512

52ae9241ce0cf7d84ed4a7ce71f379baee13e2b8cf704da7e77dbf4fb7926758d9d1fe45a3351230a477afd4d0ece05a93a558aaf4ae4b56a931112188068a39
SSDEEP

1536:rVRWV5bAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6G79/k17t:JRWV5bAtWDDILJLovbicqOq3o+nr79/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe

Executes dropped EXE 1 IoCs

pid	Process
3252	tmp96C2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp96C2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp96C2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
Token: SeDebugPrivilege	3252	tmp96C2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2596	2704	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe	84
PID 2704 wrote to memory of 2596	2704	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe	84
PID 2704 wrote to memory of 2596	2704	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe	84
PID 2596 wrote to memory of 3740	2596	vbc.exe	86
PID 2596 wrote to memory of 3740	2596	vbc.exe	86
PID 2596 wrote to memory of 3740	2596	vbc.exe	86
PID 2704 wrote to memory of 3252	2704	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe	88
PID 2704 wrote to memory of 3252	2704	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe	88
PID 2704 wrote to memory of 3252	2704	aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe	88

C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
"C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\carfsgrf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB6B611DC8EE48228D388D5BA50505F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3740
- C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp

Filesize
1KB

MD5
22120b5dda646ef7227bafa4e1ef77f0

SHA1
6addeb586ddbaf26ca89f7a1ce6360ee34a1b276

SHA256
030ef7ebb4af09653e9939a863c36d68f634c74bd3f39b006aa71540a33b8212

SHA512
aeb42f8fd9104ca91a59cc4d07caad2e40adf90ea9cec0e2de51a4778b371c31af63663783a351930a293557e26f962c86d23e5855611dcafae8ed0522caa33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\carfsgrf.0.vb

Filesize
14KB

MD5
730687c1a77de5779af72f8ad7c587bf

SHA1
781752c9abfef3a80d28a6f527c084ea2e8c267f

SHA256
b3c12004688e2c9ef987e9769a8e3811e0ff1516c23202742e11c4ccf68b7e54

SHA512
7a1d04c586c18815ce9ba876191e4f084c7a8ee3a3dfa602ee49773db0e1354f0fe7f9d2d9a93ec3e96238ad7d5ff8c6703bbab3527839daf3f5aea7d0a35730

Download Submit
C:\Users\Admin\AppData\Local\Temp\carfsgrf.cmdline

Filesize
266B

MD5
2c863b727b645b3a52c793f7d63a7af5

SHA1
6ad8797c0e313d147dc9dcfb8809ef57a1077100

SHA256
7dd2d2058039e3ebede03f7e46f5cf8789c870a1ad6ab18cdb6f536d3aec1509

SHA512
e6ef0df6d298b953f2f50a83c07b963d976a32f7275add11a5d6b2b3161d68d5e57af7d22ae6aa855b512cfdb2e46458b734739e55f372c71eea93276012c115

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe

Filesize
78KB

MD5
59d4bd83693455552fa6ebf736e49bf1

SHA1
d2056c3e399f8b72a61d4230b3804e4c893158f9

SHA256
c2245ab70b034e598482d53bc9b45bb76766e5e60f192dc306e1806133870f94

SHA512
e14fedfba9be289331244e22d2ec6129a96b1a024ef366892c37455275033a787d352141ead2940b99e98595002bac48468fbfb4e0e5ba00da70ee946d1e422e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCB6B611DC8EE48228D388D5BA50505F.TMP

Filesize
660B

MD5
8edb0db0810e7db3b678904807e76f40

SHA1
06901b718597fb0993672f9748a966a772f187b8

SHA256
78ca6e48d5a2958935c623fcf65ccd20e0b3df47d1fc4e217070a26544d2efcd

SHA512
3be68dcf6684540cd961b9e3a6e216a089b1724a1110212b5202121a0bda67ae7f9628520a5990ea762f92fa806b00efafe94f255ba6666fcbc4a67e33737c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2596-9-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2596-18-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2704-2-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2704-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

Filesize
4KB

Download
memory/2704-1-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2704-22-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3252-23-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3252-24-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3252-25-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3252-26-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3252-27-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads