metamorpherrat | 3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365

General

Target

3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
Size

78KB
MD5

7e46f3619f9f0bc6fe88549ff3f14860
SHA1

a66becb2b0984bf66091d26a7f6b7e9548d57ca0
SHA256

3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365
SHA512

cbbbb625fbcf7eb141f394f0b84ad37a6145d3c332dbc9c96bb7ee83aaabb7c35394334e0f97a87b74beb394439fe0f7c4644647c41dfeb6503288b3435afa2a
SSDEEP

1536:5mCHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtL89/n16M:UCH/3ZAtWDDILJLovbicqOq3o+nL89/V

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe

Deletes itself 1 IoCs

pid	Process
624	tmp977D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
624	tmp977D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp977D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp977D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
Token: SeDebugPrivilege	624	tmp977D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 3480	1536	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	83
PID 1536 wrote to memory of 3480	1536	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	83
PID 1536 wrote to memory of 3480	1536	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	83
PID 3480 wrote to memory of 4880	3480	vbc.exe	85
PID 3480 wrote to memory of 4880	3480	vbc.exe	85
PID 3480 wrote to memory of 4880	3480	vbc.exe	85
PID 1536 wrote to memory of 624	1536	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	86
PID 1536 wrote to memory of 624	1536	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	86
PID 1536 wrote to memory of 624	1536	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	86

C:\Users\Admin\AppData\Local\Temp\3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
"C:\Users\Admin\AppData\Local\Temp\3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wnyilp8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2742C5F2E34B4A4B8AB44DFCAB0D055.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- C:\Users\Admin\AppData\Local\Temp\tmp977D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp977D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2wnyilp8.0.vb

Filesize
15KB

MD5
c1e3db67998816408dc7623201d2fe5d

SHA1
25173340fc09a245fa1faa1d80d9d6800ba2ea61

SHA256
32f6f17ca1bcdbd41b39a4fbc8a05d6c45788610b4d57536d93f1ba2d97055bc

SHA512
f9b998011c8acb086756430af14dc0e9302301e710251a854ec1045a363b43faa7c97af291f0799760f0181f2469df1b251ac383e95ba37900f57df6a05c7d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wnyilp8.cmdline

Filesize
266B

MD5
7e70a14e673e457eba06b99786c5739d

SHA1
2c07b08ccfb59284a045a392fa77704f746282e8

SHA256
e5eae05db3c369c0a27b671ac55ef91136fc7d4c335b493e02d1d5c369dabf8d

SHA512
a94d90086b15483d1777b5e93a072a7a8a07b7b177519383854704db6b3268e6fbf456a0dcddd11cb56209daa6f2785c84ba10706898612cba6a8691965fb831

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99B0.tmp

Filesize
1KB

MD5
55d8e87f7adcb02e6a28fd822111f71a

SHA1
602379116b0845eff500411b255542171bd8a1b2

SHA256
9de10088cee0f90e30fa3774c89de6c3731105e135068cb595c40664ba572a25

SHA512
c967846ffb7d7d64fc97de23cd56e5619d5ab9ed8fce4a261d98e6c391cc254b9a44a2f7d4f80a170b63cb4e92e2b6564cd3d71a73d5efccdad75588c5b32a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp977D.tmp.exe

Filesize
78KB

MD5
cb6a742b03284ada32b77d4c9c78ad7a

SHA1
8d6a6665f8e657b341fa5fe96cb6b40f191a10b6

SHA256
a5d7389d04a925feea332b541704a25e607bbb0824b5c7594fcdab0b2334d93f

SHA512
343e47e4dddb2e645c5a202cea0351d7cec3ac644f38f3ca7932fcd23a03c52184fda2a1967b599876dd4aa2a43df9b216ba0ecab903e09325eaef993673870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2742C5F2E34B4A4B8AB44DFCAB0D055.TMP

Filesize
660B

MD5
2930cd70dd4d488f8731603ce98b2aa7

SHA1
79fac24d9aadf0d887927d04469baedbaa53321b

SHA256
51d65d77f96b5e80b47219e73e97332bf727cfb5439406e8222a9121d48a8957

SHA512
642c21ff765cb633a00444aff7d0f97ff98d2e1447b1f2d9c424a3f4d5c907e31327fb81af0348228711bf12e3071b9da0376d11cd4693f1e846b09282b453f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/624-23-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/624-27-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/624-26-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/624-25-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/624-24-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1536-22-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1536-2-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1536-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

Filesize
4KB

Download
memory/1536-1-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3480-18-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3480-9-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads