metamorpherrat | 199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61

General

Target

199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe
Size

78KB
MD5

41d48e54bdde61dbaef4a2459f0b365a
SHA1

5cbf19224961eae086069f8176102eca8742358b
SHA256

199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61
SHA512

c742f0f2bfcf44576ebe57d6f7a7128367e27991eeaf4a8cacad59e04276fdf993eab659ad4754fa150351b2abfd37ec3c5bff6c51d83cbc68e1ecb2910a541b
SSDEEP

1536:5mCHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtL89/n161:UCH/3ZAtWDDILJLovbicqOq3o+nL89/K

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe

Deletes itself 1 IoCs

pid	Process
4664	tmpCC78.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4664	tmpCC78.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpCC78.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCC78.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe
Token: SeDebugPrivilege	4664	tmpCC78.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2648	1476	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe	83
PID 1476 wrote to memory of 2648	1476	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe	83
PID 1476 wrote to memory of 2648	1476	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe	83
PID 2648 wrote to memory of 2656	2648	vbc.exe	85
PID 2648 wrote to memory of 2656	2648	vbc.exe	85
PID 2648 wrote to memory of 2656	2648	vbc.exe	85
PID 1476 wrote to memory of 4664	1476	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe	86
PID 1476 wrote to memory of 4664	1476	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe	86
PID 1476 wrote to memory of 4664	1476	199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe	86

C:\Users\Admin\AppData\Local\Temp\199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe
"C:\Users\Admin\AppData\Local\Temp\199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fzmhmlvj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30DFA940A3F49BDB496EBAE8895BF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\Users\Admin\AppData\Local\Temp\tmpCC78.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCC78.tmp.exe" C:\Users\Admin\AppData\Local\Temp\199ddce4e0b3a393414a01566c7aa42efe4e8e894a16780716517a39b7157f61.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCD62.tmp

Filesize
1KB

MD5
d34692bb603d507df7bc4351e177bdf5

SHA1
a0f57c8fb43701e5c87c0b6463db0624c5b52fad

SHA256
42dfc58d312dfbabe7e03931076ef5cca86235f57f7b5fe339b32cdfaaed15d8

SHA512
366da7c1470abaa6cd8846139e2fb15ce1aa80d26600b9af255de8805e6cbabe725b7a9b963713c44018693208d7cb71f5553e363690f3ad4e9df282e4ffee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzmhmlvj.0.vb

Filesize
15KB

MD5
b518c27796c9eb6aca95b46485be37ad

SHA1
94803e33d130b54993454bfee4aee278bcbab4b3

SHA256
333997776296134a9585e6333f6f65a8e1d3ce78bf8a56cf6b35af65411f9837

SHA512
9473d4d5baee859d35ec581fed8bd645461ab8ee17a4732cd047605b56b5936349cfe18deb89cebecb0f40c0114a1fde345f6475b4ca1e35bbc85e47b33b3764

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzmhmlvj.cmdline

Filesize
266B

MD5
6047f7a2a0ec60a0c62d4e41a14e5278

SHA1
3f712bc123e4804f161402023ee83d18e4ad85c8

SHA256
789819b3abfa158759642a911f964380325e2e1ce6870a2d6d3ff6bcfbf39b07

SHA512
909f57de4c03991395bf28b9f051377aa721fde72779f772348f3afdf3c362e12a33f6944dcb24a8492b926a81cd408614310a5d7d35b9279c76662482fe1a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC78.tmp.exe

Filesize
78KB

MD5
af0bd40a7a550fb2f259e4c34e3a1263

SHA1
2e5421fb76f844bbfed192d11294de4fdfb192d5

SHA256
5259ec47e1b6c1a4ff13c77d5722be96db4c969ed6610e69d77729cb96a79e97

SHA512
90ba13f85b43c784020c55cb1c71d47034a19f87c3d2ec5cf5930ae0e7cf3f0c8a3124c4117564fde9b09e414621184c4b560733799faafe0512f3636bd85e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc30DFA940A3F49BDB496EBAE8895BF.TMP

Filesize
660B

MD5
4aa6dfb7509ff5beee5a140174f7dab5

SHA1
c4f0fc3d5bf87306d6d0ff6f16c1715e09176fc3

SHA256
5113d892a8c81f35b69af0c7cc745ce405ff5aaba9eb4fc8fe490011991a97d4

SHA512
6142759cdda58b7ca7415fcacfc284a0801fa8c3460b517604ce41552c8eb2628a67aa10ebb9daece000a57aa0ed53c4f03ef13455eed8e9577315bc2f998b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1476-1-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1476-2-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1476-0-0x0000000074BC2000-0x0000000074BC3000-memory.dmp

Filesize
4KB

Download
memory/1476-23-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/2648-8-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/2648-18-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4664-22-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4664-25-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4664-24-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4664-26-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4664-27-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4664-28-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads