metamorpherrat | 2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4

General

Target

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Size

78KB
MD5

5ec2b7914f259298f92bbbcbe2c36b9e
SHA1

8049354dd2930dc7b48c7367c8a6f732418436f4
SHA256

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4
SHA512

5a99385f009ffaa6306e3c88cf3dfa4bd80cad75ad7ea4d5216a9447e9c718b28627c1e7ff6f6300fc570610f71af3a99475d0ccf36835a6d6fae7212c48d25c
SSDEEP

1536:2XRWV5TAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6N9/o1SAI:uRWV5TAtWDDILJLovbicqOq3o+nF9/eI

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp696D.tmp.exe

pid process

2116 tmp696D.tmp.exe

pid	process
2116	tmp696D.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe

pid	process
2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp696D.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp696D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exevbc.execvtres.exetmp696D.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp696D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exetmp696D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Token: SeDebugPrivilege	2116	tmp696D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exevbc.exe

description	pid	process	target process
PID 2844 wrote to memory of 2528	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 2844 wrote to memory of 2528	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 2844 wrote to memory of 2528	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 2844 wrote to memory of 2528	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 2528 wrote to memory of 2924	2528	vbc.exe	cvtres.exe
PID 2528 wrote to memory of 2924	2528	vbc.exe	cvtres.exe
PID 2528 wrote to memory of 2924	2528	vbc.exe	cvtres.exe
PID 2528 wrote to memory of 2924	2528	vbc.exe	cvtres.exe
PID 2844 wrote to memory of 2116	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmp696D.tmp.exe
PID 2844 wrote to memory of 2116	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmp696D.tmp.exe
PID 2844 wrote to memory of 2116	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmp696D.tmp.exe
PID 2844 wrote to memory of 2116	2844	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmp696D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
"C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eykzeivu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AA5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\tmp696D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp696D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6AA6.tmp

Filesize
1KB

MD5
009c10701d699ed3d8fd8b27f9115f1d

SHA1
08d08078243931173e78f1d020e13b010f4008f7

SHA256
b1d8a2a85e2f94ffb4b89d568ba7a00d17f27707c6864879830c55c514c833f4

SHA512
2565c925bf00cf41d561e83e25df75c68aa89543c7bde2436b7a5c7e4c1ec58d1a2fd8f18e95df62a941f55ca7a10b9e42a4d14fe4ebfc7752bb8f24d1de3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\eykzeivu.0.vb

Filesize
14KB

MD5
0dd1f54529e186bbfe298dc3aa0bbe2e

SHA1
f10f00581a21b89699b9b7e05085ac3d0b213c93

SHA256
e1c936596cb9af1f148b44e60b6dcac723713b7f7be14d26712e1500fd72fd1e

SHA512
c1771693806e2745f52f2778cb31af5fb16787cecd6668f98957772e9f3497cf2eb4cbce18422abad3fad7c8dba43bdde802df5971309760bea089ce3acc005f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eykzeivu.cmdline

Filesize
266B

MD5
f97f371460f523d71b22eeeba7e68ced

SHA1
7de2827dbc6c5813f776287ee8bdaacaf6f0ccab

SHA256
f707b3c2aa6a9a0609c324063ccf4ef925999bda20573182d9493e183da75232

SHA512
ef2db5db457071c2c075ddb6a811d0cde80685b13b22975d62335b3370eeb703ec3f2bde5d8581538f26d06e5fc8ef1d6bb48cb60bf5e5e55ccf2fed4b80abe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp696D.tmp.exe

Filesize
78KB

MD5
09e334990f39a4cbf856bf7aaa43ecae

SHA1
2bd151503af82cc0ff928b0a9d892f7fbc14d894

SHA256
5d04568b41f6dcf03654eb7632a3a6b8e369a48d64e2a5996593c2a8e14dc068

SHA512
337291d672c1014f908f710f8b148d756fab9e55561b1e3eaff07d1ae7d22674d7aadcc03381bffe6da9a218c6a5eebc49430042bf6a54e59f32e44d8342174b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6AA5.tmp

Filesize
660B

MD5
a92f02d02c313b3d6a663130f93343be

SHA1
dac3dc8ab8203c31f6af264ff94d65af429e4440

SHA256
3f8cfddf036b4884c356ff196f4a903660a10b35f41adb5f4a8f4268ead4a725

SHA512
9637cf16ed63c9f1ffcdba486d283df487f21574f9445598a8accb00ddaddc70a8a974825cc76b61df5d2664a0823813a246b4a416230adfd6dc17240e9c369b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2528-8-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-18-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-24-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads