metamorpherrat | b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570

General

Target

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
Size

78KB
MD5

639265f6013573f257f7ab35a0fb88fb
SHA1

cf45a64368939a2b194c08b20bacb65824df9c76
SHA256

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570
SHA512

2f49048fdb55b0439552b428b2751f9dd9c0850280a950fcd85eb195891101ec4f96362ed3dde06dbdcc9d335dad7deccf1a935744ed0be387347d27ef5e5fe7
SSDEEP

1536:8Vc5lAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS6GD9/A13F:Gc5lAtWDDILJLovbicqOq3o+n69/Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe

Executes dropped EXE 1 IoCs

Processes:

tmp9A9A.tmp.exe

pid process

2360 tmp9A9A.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
2360	tmp9A9A.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp9A9A.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9A9A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exevbc.execvtres.exetmp9A9A.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A9A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exetmp9A9A.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1356	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
Token: SeDebugPrivilege	2360	tmp9A9A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exevbc.exe

description	pid	process	target process
PID 1356 wrote to memory of 3484	1356	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	vbc.exe
PID 1356 wrote to memory of 3484	1356	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	vbc.exe
PID 1356 wrote to memory of 3484	1356	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	vbc.exe
PID 3484 wrote to memory of 2532	3484	vbc.exe	cvtres.exe
PID 3484 wrote to memory of 2532	3484	vbc.exe	cvtres.exe
PID 3484 wrote to memory of 2532	3484	vbc.exe	cvtres.exe
PID 1356 wrote to memory of 2360	1356	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	tmp9A9A.tmp.exe
PID 1356 wrote to memory of 2360	1356	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	tmp9A9A.tmp.exe
PID 1356 wrote to memory of 2360	1356	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	tmp9A9A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
"C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c3njrxmt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E526CA59D940FF8FCA129C2BB9D5A5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp

Filesize
1KB

MD5
8e2c7f76cbc182df78059f1898ef1665

SHA1
33d82d4bbd6af7d21b14330dd556ca03672bc578

SHA256
bb47f0a7902e05b8037c438ff8dee464b5c1a36fa77ef59eade2b09574e29e30

SHA512
00c8a4bf1b43bb2fa7cb442a42310416a90941c20deebc1f98719ceb9c9ecc455891d24e5aedf87c498442c019bce8e1287673ab258404ca39985a58a241f449

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3njrxmt.0.vb

Filesize
14KB

MD5
6a76defbb4fc5df5c5e46d899f0fccfa

SHA1
31a6d35661beec3085b717709065a8d2b584bdb3

SHA256
94900dc6f9878bab9c41f1a5baf994454e1c06d16355aad1f8d83af7fe06ed1f

SHA512
a54becbf1bc564d8667a0884717e911b6fc66cba07db43d4f9b79844699623d27466b2dcd2502ee3902e3c6195105719d96a456709f0e25c084586cce4289912

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3njrxmt.cmdline

Filesize
266B

MD5
b224861c9f4cb83614ca312470943b7f

SHA1
acf2deac748a8ff56fcff784819e1954db5af920

SHA256
8de1fdd78601efe535872000dccbdda28ca58f5a24a26c68c8a8097320a94b38

SHA512
0943aa3432a7c563907196f9b19d56dcb34100d6231b59d058534bb7ffd1e4d737faa686ff08d3267a69558338a556d08488af31b6702f1b7557a635445cb742

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe

Filesize
78KB

MD5
e5d82fabd54cbc5bde7b290c23c9c3f1

SHA1
cbea914b90472a1fabca37633cc1ace928caf08d

SHA256
fda04eaa80a2c637459804588eef207db5c54fcabf0155fc41b0a204fda996b1

SHA512
73bf9d51990912a2c39cb5355f9c2ba7c589e39912149ee7fc299261a8b7c1908ca6c84f1a3efdb3561b0940fca9990b3ca5ecd42a39033f02e42d6c3104c44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2E526CA59D940FF8FCA129C2BB9D5A5.TMP

Filesize
660B

MD5
c0dc8a76a6b8151727fd299fb8fcaf60

SHA1
eb4828088205baaf92cfc000534f045b0c7b5cfe

SHA256
a01e63f95fcd953b8de23d44899af867ac98f7cb8dca8f069823512d70d19036

SHA512
7c6532389098fb3686ad1444a2119fe9338c364d587077ede0d8a5cda5216f4c4d3e47d620609b22e847206313356db4258c7ef1a9d7622939ed85f7b1d91946

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1356-1-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/1356-2-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/1356-0-0x00000000749D2000-0x00000000749D3000-memory.dmp

Filesize
4KB

Download
memory/1356-23-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/2360-24-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/2360-22-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/2360-25-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/2360-26-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/2360-27-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/2360-28-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/3484-9-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/3484-18-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads