metamorpherrat | 7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264

General

Target

7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe
Size

78KB
MD5

a49dfe167ffcdb9d573777e75398f3db
SHA1

1a3935b404b1555ba65567ee673d91b754c36667
SHA256

7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264
SHA512

ea19a96a2ed3f9571a7c0f5a3aedc84dac722bd8f5dccc1ee5a0ade27238680ed518998c40725124e11d9f04eb4974a5bbe60692340df95a006c73ecc118badc
SSDEEP

1536:dBy5jSIAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6i9/c11Jf:/y5jSIAtWDDILJLovbicqOq3o+nq9/ef

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe

Executes dropped EXE 1 IoCs

pid	Process
312	tmp9700.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9700.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9700.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe
Token: SeDebugPrivilege	312	tmp9700.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 1196	3104	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe	83
PID 3104 wrote to memory of 1196	3104	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe	83
PID 3104 wrote to memory of 1196	3104	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe	83
PID 1196 wrote to memory of 3936	1196	vbc.exe	87
PID 1196 wrote to memory of 3936	1196	vbc.exe	87
PID 1196 wrote to memory of 3936	1196	vbc.exe	87
PID 3104 wrote to memory of 312	3104	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe	89
PID 3104 wrote to memory of 312	3104	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe	89
PID 3104 wrote to memory of 312	3104	7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe	89

C:\Users\Admin\AppData\Local\Temp\7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe
"C:\Users\Admin\AppData\Local\Temp\7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kvls2n5o.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92D169F78C914D899B5411D44452BBDF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3936
- C:\Users\Admin\AppData\Local\Temp\tmp9700.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9700.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7184bfb9475c71df866942b04d84e3997cc04b64a06d5f99c9b0fb8caea6b264.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES98E4.tmp

Filesize
1KB

MD5
d9b38284a0b8d8bd17863a38e1fd2577

SHA1
90cacd089005e46728be40eab407058121b68363

SHA256
88742af152efc23e994741ebf726ff553ae265acb9f18822d17aca5c9a1c0a91

SHA512
d773e915e30b75bea8cc0175228f75e1c8d615f43455967541368818422720757b35fe5f28a3cd3be5e795ade7368a13a39098e36e2b50846658cb6d0fc5d789

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvls2n5o.0.vb

Filesize
14KB

MD5
e9f33dd202822735fe9bddde7dee71fb

SHA1
78616f991796375bb13d47dc18653f4862e552f7

SHA256
af954868555e40cf9ece9c0c948a893befe3a29b8a8e30634d87767a8364e2ef

SHA512
5cf63c821cbf58c6eddc5914edafc196b4f84c97e09530eea8fecd7d8af0448009167907e983edf0cb9679abc678f0ee408510adf9c55028aa9a5557504359c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvls2n5o.cmdline

Filesize
266B

MD5
ad5cd983399fea4060b5c026fdee938e

SHA1
8205484ddc7bc335356f8d09ba0a8066df723f8b

SHA256
1b803efddb30d8896a1f2c11a0441ab0bbe7d932932b7f2584f60dce2530cec4

SHA512
62edfe3dde7c508f58ca9558bdfa05240b281cd5bb9ee28583de6d1f068d0035e8a3177e8631b0a49d689e45e24028c7af02e274756b2a4170a6211083355251

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9700.tmp.exe

Filesize
78KB

MD5
61493dcea567a3c15d843edcb27b95fa

SHA1
17b735d8d0d3f2213b0382a621f1a97aa5b8adcd

SHA256
f1c899f38e58cc41e16cd3bcd72293f6382c0a00b9516088c5dcad386f742b34

SHA512
c7087a7f877d4c68d375dcc82e5c994ecdca33b62e4ad5f62b821bcd228a0d4c1d2d1429bdb65aa93d8bd2f53f06273b932622f4ab4a4d9e77ff0d61eac4c245

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc92D169F78C914D899B5411D44452BBDF.TMP

Filesize
660B

MD5
874ba34f0d15082e9ead488b4b2174c7

SHA1
39588043f62269a8c6481979fb81d5b5c020b03e

SHA256
cab2ebed3b12267564f6e77841764edae31d3e24b3e46daf31ceba491758b2b1

SHA512
3ba1670ead50793c64f3d0193f27121a23aae0acb62287011b4755ceea22171d99e08511a8dbd425cac2e878f0f29820da6a4fbaebd9f13b797074f17c3e9919

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/312-23-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/312-27-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/312-26-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/312-25-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/312-24-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1196-18-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1196-9-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3104-22-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3104-2-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3104-1-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3104-0-0x0000000074802000-0x0000000074803000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads