metamorpherrat | 487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450

General

Target

487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
Size

78KB
MD5

6c5f21788583163335bd6134216c53a0
SHA1

5b764d6d1f925f92f2f67cf96df2b9bbcced2b28
SHA256

487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450
SHA512

f39378294351271948dc0745b3c598b44c4ec76524d6b3d33bff92e496e83b162f2fa3976dcd693be24e6f16dc8913d0e35c21dacd10577fe35a9ae127bb062e
SSDEEP

1536:aXPy5jS7AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6K9/0A1/j:iPy5jS7AtWDDILJLovbicqOq3o+nC9/7

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2948	tmp601A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp601A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp601A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
Token: SeDebugPrivilege	2948	tmp601A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2924	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	30
PID 2796 wrote to memory of 2924	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	30
PID 2796 wrote to memory of 2924	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	30
PID 2796 wrote to memory of 2924	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	30
PID 2924 wrote to memory of 2936	2924	vbc.exe	32
PID 2924 wrote to memory of 2936	2924	vbc.exe	32
PID 2924 wrote to memory of 2936	2924	vbc.exe	32
PID 2924 wrote to memory of 2936	2924	vbc.exe	32
PID 2796 wrote to memory of 2948	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	33
PID 2796 wrote to memory of 2948	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	33
PID 2796 wrote to memory of 2948	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	33
PID 2796 wrote to memory of 2948	2796	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	33

C:\Users\Admin\AppData\Local\Temp\487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
"C:\Users\Admin\AppData\Local\Temp\487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f9qhelvp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62B9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- C:\Users\Admin\AppData\Local\Temp\tmp601A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp601A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES62CA.tmp

Filesize
1KB

MD5
318ee4e14216417f2b74948847503f6f

SHA1
5c3c062e170c1d4891eea83132cbca865d3dcf07

SHA256
adf58bdc9da881b04c94250786617e6643ca16a015ca6d3a58ff32b86538888b

SHA512
dfba2c6ed09c37381cadfee28383ce9e7017696f3146bfdd79940265deec0eb251df4a470bd2a1ce07e97a5671a1da33fb87d6dc9691dfa93f1d59e6e56bd8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9qhelvp.0.vb

Filesize
14KB

MD5
0d4bf08de15b8a37292272f69b75099a

SHA1
7607303792b13d7102a869f8fece92f5f4a17372

SHA256
6680c8f8fa4e9e5d03e8cfca18ddf56a6547e38a6c62aded5b8d90dba0a58211

SHA512
34f75b0c5b1a37c6e5d1b793763d5936452f5aa132e27040b5c28c354b031f1d32fa41433302c4f4339ee7f3720270af1c86289191bdc8da240632058f73cb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9qhelvp.cmdline

Filesize
266B

MD5
86202fba2faf59cf159872809358a0d8

SHA1
49874fe3e62ff42f84ed3b422ba9deabc449236b

SHA256
8818970e16dc48e6266bce6d94793a81c9dd1882dd4924a42f2dac9a992f78ae

SHA512
6cc81311808908eff3f22e6cb94d146502dd59f3168f1c695cdd3ef0379f076a2443fb89240bf11fc23ebd2d9fb8d48ac8c7d04d062ceb71a3fd679eebfc2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp601A.tmp.exe

Filesize
78KB

MD5
8fa2c63a87a3425c301fafe17536e6d8

SHA1
44b4e950fa3a2a3dbefd8d31b3c12886cb3dde87

SHA256
b6df537481ff06c72ab38c304010399c939c61acdb7bcdcfb468bc9e4488806b

SHA512
f9536512d584b1a4ec9f6d56f2eb6b24da762ff5cbf1f8a6df9e6fa24cb2cd981b8a8cf771b46a628cbdfd97ac801643751181c7d436d4e96688c87a80edc4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc62B9.tmp

Filesize
660B

MD5
4b5f641065f9c757550b660c6d5b8c49

SHA1
7aac0e91f5fa89b0343eb81ccd0ac50f52840f19

SHA256
d5c4d45966e5f38e1ac966d24aa899980b4a7735cc92c5528689bfbf54be4a2e

SHA512
684d52a6f657b0af5604b693b6dbd7ccce73d4ce151b377f21caa4597aed69158eb07ba5f6a88c9668d2ddc1949ea54753c85067fd9039cbcbcab291196258b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2796-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2796-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2796-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2796-24-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-9-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-18-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads