metamorpherrat | 487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450

General

Target

487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
Size

78KB
MD5

6c5f21788583163335bd6134216c53a0
SHA1

5b764d6d1f925f92f2f67cf96df2b9bbcced2b28
SHA256

487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450
SHA512

f39378294351271948dc0745b3c598b44c4ec76524d6b3d33bff92e496e83b162f2fa3976dcd693be24e6f16dc8913d0e35c21dacd10577fe35a9ae127bb062e
SSDEEP

1536:aXPy5jS7AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6K9/0A1/j:iPy5jS7AtWDDILJLovbicqOq3o+nC9/7

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe

Executes dropped EXE 1 IoCs

pid	Process
3244	tmp8BC5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8BC5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BC5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
Token: SeDebugPrivilege	3244	tmp8BC5.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4608	1536	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	82
PID 1536 wrote to memory of 4608	1536	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	82
PID 1536 wrote to memory of 4608	1536	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	82
PID 4608 wrote to memory of 4784	4608	vbc.exe	84
PID 4608 wrote to memory of 4784	4608	vbc.exe	84
PID 4608 wrote to memory of 4784	4608	vbc.exe	84
PID 1536 wrote to memory of 3244	1536	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	85
PID 1536 wrote to memory of 3244	1536	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	85
PID 1536 wrote to memory of 3244	1536	487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe	85

C:\Users\Admin\AppData\Local\Temp\487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
"C:\Users\Admin\AppData\Local\Temp\487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qzouztfu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc175F675440A04DE6BA70C6BD903D869.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
- C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\487230f1b1fdffe1e47086e7444287dcb79b804f3ce5fb1b9786a8bc45ab9450N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8C90.tmp

Filesize
1KB

MD5
4564ef44554ba2344973b4cf17e4c102

SHA1
8b89833bf56010d54cecdd8e5841581915cab412

SHA256
c0e9fede9a9f5f91de9f64f504d937cbf380242079897e04231f01fa59d34551

SHA512
00bd05f32f35a0bcc501ca7f07454c66e630a7a765e75e64c7b0ae1afb40212e9c65ab96e3248b5c1fafeec2a80a93cca636734bf25f185c8027918165d37ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzouztfu.0.vb

Filesize
14KB

MD5
ed7008ff7042e67fce3b17012197a4ee

SHA1
500b37670349ef5faa85ded745571fdff67467e8

SHA256
121195f141382902b10e5e9803f967698cee6a78e44a5517270315745ed923f3

SHA512
cc948ee653ca8d138eda954d6e638b0425f4821665ac98753785eebaaf0d73c8200f3b82f7a4f317d3095401bbf047c966fd7c471ef94e577c1d9fbf062fbdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzouztfu.cmdline

Filesize
266B

MD5
4d4d83cde8e4848d1c70adc11c2c3f55

SHA1
10d74ee026d8e27bdee790d21ea53c1508bb932a

SHA256
ad4eb972a2d6e14a1e89e69be8148d9e3a4b2c07352960907ce6d732d9358332

SHA512
9a05890c9e123c7eabad002f98fb91fa036470274f961b434f522e6b0f1e6fba566b24530c8a7d98558bf82d1741674d292f5650e0d6c4f178180bd1b7059364

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.exe

Filesize
78KB

MD5
3b78d29877ef104929bdf35b08ef06e7

SHA1
6798c18103b666749aa72d3c72f14c35267422b2

SHA256
7d85f642f85a7c985f63dddc03bb54b5da6c614e4ac4696086256c8f519824f2

SHA512
2853ab27f451e3971320fa8ffadef429c47f717d82127d56c4ef06522a101cb21f76c0b9a0eb871622c4ef5513b0fd357a5b4402744a0d21309ead4bcb1c0e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc175F675440A04DE6BA70C6BD903D869.TMP

Filesize
660B

MD5
cea1823978170ae5576f8b2550a66ff4

SHA1
bebfb3a474cf664b9d4303336a24896b20dd97eb

SHA256
975c42e5565da5a32faea81f6039c26f11d00ddf382b1971fe6e9c78f1bdbaf4

SHA512
9d7fbd6548f3ff5def2581f030e7ffa76e488a2ec2ccd2e1e203f3cf75d525729aeccb3d9cf2e1da6f18145a860f828c23c357857bc754af0aaccb9689d96bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1536-2-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1536-0-0x0000000075292000-0x0000000075293000-memory.dmp

Filesize
4KB

Download
memory/1536-1-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1536-22-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3244-23-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3244-24-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3244-25-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3244-26-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4608-9-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4608-18-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads