metamorpherrat | 0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934

General

Target

0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe
Size

78KB
MD5

a5c2a36b2f195af30e26dd9bdbfc80f5
SHA1

054bc03c3aad9c30d5588fcae7bd3fb58d604b84
SHA256

0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934
SHA512

24f6812282a0d5db6e550db044cdf3843eabf6635053ad9db02c28b536aca8eb94c227a96376f086e6ffc1136ffd0b976b92bb18e2644e1930d812acd96a71c7
SSDEEP

1536:aXPy5jS7AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6K9/0A1/9:iPy5jS7AtWDDILJLovbicqOq3o+nC9/1

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2128	tmpAA05.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe
2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpAA05.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAA05.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe
Token: SeDebugPrivilege	2128	tmpAA05.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2420	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe	30
PID 2580 wrote to memory of 2420	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe	30
PID 2580 wrote to memory of 2420	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe	30
PID 2580 wrote to memory of 2420	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe	30
PID 2420 wrote to memory of 2100	2420	vbc.exe	32
PID 2420 wrote to memory of 2100	2420	vbc.exe	32
PID 2420 wrote to memory of 2100	2420	vbc.exe	32
PID 2420 wrote to memory of 2100	2420	vbc.exe	32
PID 2580 wrote to memory of 2128	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe	33
PID 2580 wrote to memory of 2128	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe	33
PID 2580 wrote to memory of 2128	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe	33
PID 2580 wrote to memory of 2128	2580	0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe	33

C:\Users\Admin\AppData\Local\Temp\0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe
"C:\Users\Admin\AppData\Local\Temp\0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zvggyrco.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAB1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2100
- C:\Users\Admin\AppData\Local\Temp\tmpAA05.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAA05.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0624df5cf869ba3214f4e94700a3da5832b4352ed9afa6608106e29c5d915934.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAAC1.tmp

Filesize
1KB

MD5
09001320a809550a5db6773756f4be5f

SHA1
4ae159db49fbae136ea9bf2ed3d9d138af9cb997

SHA256
e404c90f8c9118da501b8c97494d5ba179d8ffb80a07d72b695531fcf9c7371a

SHA512
7992ee27c6e2338ee4275bd364660c966ca4776bab019f43f005d9c68474937eda695a64c8ab2c19221406164cf406438143056ba7d707cf96e37e677312a0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA05.tmp.exe

Filesize
78KB

MD5
5a79657f86d4f5dca215a6b32ed79f09

SHA1
cc2687643d2be25d2aba17f3caef00669ca31cf3

SHA256
2af374eda5782ec18b5c5a3bfc9342547dfc94b269c0e5ed231706acd870ffd4

SHA512
7cdccb53e464da77c25f9709689bf48139e17852834db5c563e723988f7af97b3c0055a8743eaaabb1f44ce379cd7264fc38197b2d0df0b3e9d02cca5daeee40

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAAB1.tmp

Filesize
660B

MD5
a6a7c395d970b5aa355282014c5f1865

SHA1
ed16545b69fd328dac7ab1a0219fb0ab8b810386

SHA256
7869db8f2ca334bdd30c343dcf5b7f293ecea1ba8b0cde986113769c5829c65f

SHA512
d708bc6c6e121370e3e7246c33518fa80990e8ad4488829f212784fd3042f35af249d12ee0a180e02f2901d4031b5c231e5b81bf09efe0592d104c7b809c7118

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvggyrco.0.vb

Filesize
14KB

MD5
812e66f6f662d13b146c2c0de5b40315

SHA1
61ed92e6d760da3e00d59d21683886b8ea6f4a58

SHA256
0f6de0e37a345f5f033e4a887408ec33170970350040856de50dcaefd1aa76dc

SHA512
4b42a0e6ea95cc0e527aa693c66da84231591173cf97eb30b525eddc35d19dae05091ff5922b5cd982c47f59fbf6b402f56dd62681c32adf1a89a6338b69db0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvggyrco.cmdline

Filesize
266B

MD5
a48f0603ca81749bd5ffdb37901e67a3

SHA1
2f08b23231232142298580e311bf2a723a803756

SHA256
5f45fa840c778f2210f5a015a7d9e2ad72830fc71c53b435871b777fb0d561d4

SHA512
9c81df4e4208392d04132ceca21b4d3bd9c1edabc40f5d941151f22ad0a2eea3d0799dc04370ff8b01104fc9674eca57d23464a3590b17db69e416066f948b8b

Download Submit
memory/2420-8-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-18-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-0-0x0000000074161000-0x0000000074162000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-2-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-24-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads