metamorpherrat | 226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48d

General

Target

226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
Size

78KB
MD5

8ad0faf2117b5ea58903139c5a313730
SHA1

389e93dce3d28ec65cd75a1baab5e4d05fee0dd0
SHA256

226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48d
SHA512

08f040979c0014c8f3760e3f84be2accf1bde913d5c94668f4bf799ca99237bc776163ba348ba6ed691a41206772895227976b23d4d4ac3c80c4c51d63599565
SSDEEP

1536:4ACHF3uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/V1se:rCHFP3ZAtWDDILJLovbicqOq3o+n89/T

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2752	tmpD20E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpD20E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD20E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
Token: SeDebugPrivilege	2752	tmpD20E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1460	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	31
PID 3052 wrote to memory of 1460	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	31
PID 3052 wrote to memory of 1460	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	31
PID 3052 wrote to memory of 1460	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	31
PID 1460 wrote to memory of 2960	1460	vbc.exe	33
PID 1460 wrote to memory of 2960	1460	vbc.exe	33
PID 1460 wrote to memory of 2960	1460	vbc.exe	33
PID 1460 wrote to memory of 2960	1460	vbc.exe	33
PID 3052 wrote to memory of 2752	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	34
PID 3052 wrote to memory of 2752	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	34
PID 3052 wrote to memory of 2752	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	34
PID 3052 wrote to memory of 2752	3052	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	34

C:\Users\Admin\AppData\Local\Temp\226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
"C:\Users\Admin\AppData\Local\Temp\226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v1nkoesx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2E9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\tmpD20E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD20E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD2F9.tmp

Filesize
1KB

MD5
475a4abeba2d18508346699f6bdb9d77

SHA1
3878c65210d1d173b63629f76dde15ec3d723137

SHA256
8a76cdadb43213349ee60c3407d0e462249c7ebd5e805e1440fe401a8ea09b64

SHA512
553626400c85871c6857c6204e42e5116450d297d6eaee02ffe6664fbd717d06ac2ecb50c5a408e2f0dbf90950d4e5518f3dec531c476f77237da23ba621c23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD20E.tmp.exe

Filesize
78KB

MD5
8cb6773b53fd700b92ac6cd972c76990

SHA1
485e11702e6b67be061b63c0e62ca3398f9722c8

SHA256
d11562b09d827f14c12000d4ee444010832646af3517ca44bbbd493146ab1863

SHA512
62baa98348c29a9204094f235399c08851b282287ed9713df21a7b79f11b97a075558e39c53f237b802d4cb97027b417effd9ddb4383cdc861dc1c194958d904

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1nkoesx.0.vb

Filesize
15KB

MD5
009f2bdb19950ff753c14659ebb76605

SHA1
c5cfd3f68028d03b2cc5bedb1fa656e0140f8e32

SHA256
ef49430efa0990c68174e6772f8c5b0b4935c872dab9c8023367205b7a4fadb9

SHA512
2195fc6bb1d7316b45f736a6a9c643f03bfd4498e81282da67cf25b61dbf83c5fc29b34eee51c942fb7e0e66de9d3d9ca48f398f6d3cfcb38ddd95e76a9f575a

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1nkoesx.cmdline

Filesize
266B

MD5
4ba2f56aa0250bdb02982d0fc34601f8

SHA1
b47d1ba8231b1bb6868bea27d734fdf01d331775

SHA256
c40fa99bd4aa3089fb0abba955836a83ed4e01341590cce0df946f0c60671c33

SHA512
7c5abd61c99a4176a8e5e3d69d34d8e7eb3181407e1628e94f65468fe1d7259c7e9314d9b92ae5702a31ca5adf7016a171bffeee358f2462573c9d5c91cdfb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2E9.tmp

Filesize
660B

MD5
31412ede1e205f1e9b548ad31b5135ef

SHA1
5f92d32e181263af3473b6a9f417a8d282f5edf1

SHA256
5ba6148417ae288c51d8887f88711c6a2fec3aa05c949fd49ef31f49e7db2de7

SHA512
0f54d1f28ef2756eeb98a4cee79b1133de45df15d24177e10c09016d4c752595ad77f16a15747f4fe26d1a6d40b3e81716bc40c28c4f0db649e513084b3b3b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1460-8-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/1460-18-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-0-0x00000000746C1000-0x00000000746C2000-memory.dmp

Filesize
4KB

Download
memory/3052-1-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-2-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-24-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads