metamorpherrat | 8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416

General

Target

8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe
Size

78KB
MD5

b99cd93aa42db0721ff9b47611a23c15
SHA1

97f95949f3a75a04450d798ff7e7350b43b719b5
SHA256

8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416
SHA512

592711fb3c01ee1c44508a4112db6d505f96da88f8e82d9daaebb57da61b746d666f640777c823fb2a4f1e442adefcaa088624221a5a3c94fd28ef8b526b032a
SSDEEP

1536:TX4V5jSuAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6q9/o1LpJ:D4V5jSuAtWDDILJLovbicqOq3o+ni9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe

Executes dropped EXE 1 IoCs

pid	Process
4832	tmp9DF5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9DF5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9DF5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe
Token: SeDebugPrivilege	4832	tmp9DF5.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 3436	3940	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe	83
PID 3940 wrote to memory of 3436	3940	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe	83
PID 3940 wrote to memory of 3436	3940	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe	83
PID 3436 wrote to memory of 1876	3436	vbc.exe	85
PID 3436 wrote to memory of 1876	3436	vbc.exe	85
PID 3436 wrote to memory of 1876	3436	vbc.exe	85
PID 3940 wrote to memory of 4832	3940	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe	86
PID 3940 wrote to memory of 4832	3940	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe	86
PID 3940 wrote to memory of 4832	3940	8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe	86

C:\Users\Admin\AppData\Local\Temp\8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe
"C:\Users\Admin\AppData\Local\Temp\8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z4xnoxay.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAA10476E94343FE8114CA3B58F765B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- C:\Users\Admin\AppData\Local\Temp\tmp9DF5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9DF5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b3c3250bf6454f03cacb9d08f70b23af699e1e67322d35a316bc838af6f7416.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9F7C.tmp

Filesize
1KB

MD5
3997155bf8f64a4e99977ed7c612529e

SHA1
ec1c3ce72b7c44c367eebffa3f73165fb0cfb654

SHA256
46e9f9c263c08d3f5b344585bf43f9461ee9e0b1a2e15d49921ceb5ab383501f

SHA512
74defdf36f095ae132a71816026fe70f1cb1acd6c52b6b4a8169354095dcca2d1401132b74b4a1ac8fbb3a43d0c4f965941b71aadd9cf2ed2d3441281c9b55de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DF5.tmp.exe

Filesize
78KB

MD5
1e10179317f9bd04524b8bec09735720

SHA1
7516a27262e10ae2cec324d982d0ac473b24b935

SHA256
62915f2e188eec76c25f86c8d7917d065fa457f012ecd76d43af58261c5ff796

SHA512
c43f86aa1fb2d6f07cca8ad799112be785154cce9c174146d72b7e9355f56e469fc91e66a37f05fbeac750c79c7c8d3df750652a0b2f5bc6422d9e9982190189

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAA10476E94343FE8114CA3B58F765B.TMP

Filesize
660B

MD5
22a4ffaab76b49ac353f69954b3de208

SHA1
2998133c3d3e6f48d95bb6c3815d1524ec58d0cc

SHA256
b960e6cde8b41136eabf168078aeea7605d96eea4effd93c32af4669c5c4c5f9

SHA512
86677b76dfd043563bcd4aa3137e7cc200640ec7fa76b973bf5623e13daddebfc64c7630b5be195a87c8a16ae2b8f40f12b0c528f1ac6d57dc0be4b7deae4349

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4xnoxay.0.vb

Filesize
14KB

MD5
73d2f24560929ba427dfde93e393ecbb

SHA1
8eb75c09c9e83720c7d1a9827549ab509954fae2

SHA256
faf635b4b87bba457d263fee6d5a1a694813a417fe9c178c9110ccc13479df9f

SHA512
fac15a934fece11a6df9c97bd899c118d598fb1d7f5b002caa6f1e7d5823e4aac1f41c3d8fa980826d387214eb59806ccacdd3096b99e767641fcea1add5fa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4xnoxay.cmdline

Filesize
266B

MD5
9882b4c48f2734b252347e2f3e106618

SHA1
5c9894368b7b3044ed0b0c5512fce1a9ce8e25d1

SHA256
eff0434c844910c30179e0b60aa857c02a8ef3a94d916230c5cef16ffc55804c

SHA512
e6617a429a3cb60acc7844fa0e65975714d71ecdb13bed916018b093be9f258760fad1379f544ebf27529bce4ab0a1a239091f2d8496e93ce28598d520d194d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3436-8-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3436-18-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3940-0-0x00000000751D2000-0x00000000751D3000-memory.dmp

Filesize
4KB

Download
memory/3940-2-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3940-1-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3940-22-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4832-23-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4832-25-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4832-24-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4832-26-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4832-27-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4832-28-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads