metamorpherrat | 2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4

General

Target

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Size

78KB
MD5

5ec2b7914f259298f92bbbcbe2c36b9e
SHA1

8049354dd2930dc7b48c7367c8a6f732418436f4
SHA256

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4
SHA512

5a99385f009ffaa6306e3c88cf3dfa4bd80cad75ad7ea4d5216a9447e9c718b28627c1e7ff6f6300fc570610f71af3a99475d0ccf36835a6d6fae7212c48d25c
SSDEEP

1536:2XRWV5TAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6N9/o1SAI:uRWV5TAtWDDILJLovbicqOq3o+nF9/eI

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe

Executes dropped EXE 1 IoCs

Processes:

tmpBFC6.tmp.exe

pid process

3628 tmpBFC6.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
3628	tmpBFC6.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpBFC6.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpBFC6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exetmpBFC6.tmp.exe2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBFC6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exetmpBFC6.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4916	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
Token: SeDebugPrivilege	3628	tmpBFC6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exevbc.exe

description	pid	process	target process
PID 4916 wrote to memory of 3712	4916	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 4916 wrote to memory of 3712	4916	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 4916 wrote to memory of 3712	4916	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	vbc.exe
PID 3712 wrote to memory of 3480	3712	vbc.exe	cvtres.exe
PID 3712 wrote to memory of 3480	3712	vbc.exe	cvtres.exe
PID 3712 wrote to memory of 3480	3712	vbc.exe	cvtres.exe
PID 4916 wrote to memory of 3628	4916	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmpBFC6.tmp.exe
PID 4916 wrote to memory of 3628	4916	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmpBFC6.tmp.exe
PID 4916 wrote to memory of 3628	4916	2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe	tmpBFC6.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
"C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aqxwuj2p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC16B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE372A4E3D3554317B07F6F80D85D22DC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2264db1663700803e9e3c8e8328c98b8ebc3794ad93856cb9300c5742c4246e4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC16B.tmp

Filesize
1KB

MD5
bc4d38e711354d98eb102a911e6ba207

SHA1
747fc80001033be2ac00a3aeafa518061dabd8ab

SHA256
267f3d8bbc8ed7049d359b69aaf36b4a58c2782bce48998b24d78b2d7f7b3b8b

SHA512
9e41e260a9e7f9a130a4faa89aa14409d8ac52fadc778a8ab28889f008618a144a00a1227539456ea282bb951bff927f38c30eb6f092d3191a5ca1b3ed1b1c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqxwuj2p.0.vb

Filesize
14KB

MD5
2df121c2918e8c3b86b27a07e482b975

SHA1
1b283eee7920f1acfefe767d01f562f1fabc710c

SHA256
e7dbf45dc68d59ad35a67bac92a6fa073d734cbc9dff133d43471e354f1ceb54

SHA512
b8bce5c0c306d8401a944a6de9a7f2cdfda3f652141e53db6a3fe36498332a4495ec43e4d6fb701b4ded3989558bbec20d990625de66f70249d2c7f3848184dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqxwuj2p.cmdline

Filesize
266B

MD5
51e88bbffd1e4700cf0197366fd7f963

SHA1
3c79d2f3b35782868c52873b69b5a142e3a90062

SHA256
a055457d8c6575188bc8253e4f2cd1c2c663ac1861ecdb0dbe23705bdc3143a7

SHA512
b951f121d6a088c1dcea3589b26dc2cfcd423de76dc8e12bccb9b5af9bbd1a0100528586c3a108413a321d55542741d6ee83ea6437dad28db45a77129efd47be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe

Filesize
78KB

MD5
1174ce46becc1c237a2a7de1c5e57a14

SHA1
d06064e87cb18495a7aa523c5fe84e8685b033cb

SHA256
86410c81a052dc752139b59e634c8a001a917132f69b074186a927b7c8f7f8a8

SHA512
711e49705e5a76e7f160b9278d96cee61c0224c600c67082b2d26bc4a4325e95919bb870a2a73891cd9066f5fc1694c8fed8b9edfd3146544a858ee72390e651

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE372A4E3D3554317B07F6F80D85D22DC.TMP

Filesize
660B

MD5
46d5ca83a340da88a113d34f8b43dbd1

SHA1
e72534bf2599de6aed63f8484a4fd47f930131ff

SHA256
18af735c03fde70ec7bd241a7e60bb70de3a5832e530d252f460f7b21c79f16e

SHA512
ba527dbc1b57b3e9f33a17d52ee14f1537e7b2c13bcd8169d993c043db4393e48f727505fd283042118080fdf75f1190c556c872041e3ec01266932fdf658bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3628-25-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3628-23-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3628-24-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3628-26-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3628-27-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3628-28-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3712-18-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3712-9-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4916-0-0x0000000074702000-0x0000000074703000-memory.dmp

Filesize
4KB

Download
memory/4916-22-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4916-1-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/4916-2-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads