metamorpherrat | 2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4

General

Target

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Size

78KB
MD5

5ec2b7914f259298f92bbbcbe2c36b9e
SHA1

8049354dd2930dc7b48c7367c8a6f732418436f4
SHA256

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4
SHA512

5a99385f009ffaa6306e3c88cf3dfa4bd80cad75ad7ea4d5216a9447e9c718b28627c1e7ff6f6300fc570610f71af3a99475d0ccf36835a6d6fae7212c48d25c
SSDEEP

1536:2XRWV5TAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6N9/o1SAI:uRWV5TAtWDDILJLovbicqOq3o+nF9/eI

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe

Executes dropped EXE 1 IoCs

Processes:

tmp7918.tmp.exe

pid process

1704 tmp7918.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
1704	tmp7918.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp7918.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7918.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exevbc.execvtres.exetmp7918.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7918.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exetmp7918.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3288	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Token: SeDebugPrivilege	1704	tmp7918.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exevbc.exe

description	pid	process	target process
PID 3288 wrote to memory of 4508	3288	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 3288 wrote to memory of 4508	3288	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 3288 wrote to memory of 4508	3288	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 4508 wrote to memory of 5040	4508	vbc.exe	cvtres.exe
PID 4508 wrote to memory of 5040	4508	vbc.exe	cvtres.exe
PID 4508 wrote to memory of 5040	4508	vbc.exe	cvtres.exe
PID 3288 wrote to memory of 1704	3288	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmp7918.tmp.exe
PID 3288 wrote to memory of 1704	3288	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmp7918.tmp.exe
PID 3288 wrote to memory of 1704	3288	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmp7918.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
"C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l4vbzky8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF88EAFA55044AFEB06C4CC87C3ED911.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5040
- C:\Users\Admin\AppData\Local\Temp\tmp7918.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7918.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7B1B.tmp

Filesize
1KB

MD5
fef7fd55c06d2686de31a446ebd9e592

SHA1
90492b2c6ccd10f5301a18db75d3ca9871a6f1ad

SHA256
1b75c3b121bd257be04bae762324735976a1131c5359e37b7d46eff316604911

SHA512
45cc2e7d394f46267ff165553e5f12810db5c1a9a5b2c2149c4682198e0298f868a208e60831dc32b692977cf05a9a42e2cf9cac02c62100c23e0e8111522c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4vbzky8.0.vb

Filesize
14KB

MD5
94045a810f15a6593f4ffc82ac4e6b9f

SHA1
84c7bc3ad9807f2a0732b9580c7913dde24dbc6c

SHA256
4e488a393cc706a28a998483919793ee5b10780c832188f9e0148b07f7bb3da5

SHA512
4ad5dcc22b94544a404475c97bfa122f67f40ad1ab7dcdeeba622f8c1d2f71c8d01741b6bd3e0b1dcad9762950e52dee20be4b57a35fdb5df1fa393a44e9d2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4vbzky8.cmdline

Filesize
266B

MD5
5fc4eb68ce3cad1af2d6d8ba6083be01

SHA1
39cc1a91dbd52c9a83cee4c97ae4af2b8b0e272e

SHA256
5577a1d26954a513dbd1b4ca8808b4f24cd718f7104ff1b6615afc96992c245c

SHA512
282e737a8a05ab71cc472a5e3bd3488d5412aa73b602ceae34c94023ba3618459ef089b25a979dcee2a82388d19b5de3e3d39a7c58689a2bd0ffcf5498585b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7918.tmp.exe

Filesize
78KB

MD5
630a00d4793cdbb582622e3db6ab5ee5

SHA1
32075bc9e4bd8a5d3a0defb13eb9db15b4573f67

SHA256
58b3a03d2b903628db59fef31c943f862a09dd9efd9a4d7b9ffa8938ab252f21

SHA512
cd39508937929179d5d995af9ccc57937d0fe13efd3c48620134808cd1d0596fb31a2bb522ecbad4806706f9c92acb462563ea488622f681ea8dad1ecc66f3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBF88EAFA55044AFEB06C4CC87C3ED911.TMP

Filesize
660B

MD5
165af9f32c72e30d9855dded39ae1a9c

SHA1
6fb845e495fc7bcd6edd4be6ebfb84e23488ddfc

SHA256
5aa76bec1ddca04313dac6feefc7d0f10564967868094fbc725966c39e6df77c

SHA512
53ba45d2a5819ab6d048c97d7d062de58dc7e891cc98943b84e439ed7be91a1889bfe8f2843184007655cab6581a282fc2862458b05f56e08b4f024e49140a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1704-24-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1704-23-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1704-25-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1704-26-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1704-27-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/1704-28-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3288-0-0x0000000074692000-0x0000000074693000-memory.dmp

Filesize
4KB

Download
memory/3288-1-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3288-22-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3288-2-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4508-18-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4508-9-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads