metamorpherrat | 226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48d

General

Target

226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
Size

78KB
MD5

8ad0faf2117b5ea58903139c5a313730
SHA1

389e93dce3d28ec65cd75a1baab5e4d05fee0dd0
SHA256

226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48d
SHA512

08f040979c0014c8f3760e3f84be2accf1bde913d5c94668f4bf799ca99237bc776163ba348ba6ed691a41206772895227976b23d4d4ac3c80c4c51d63599565
SSDEEP

1536:4ACHF3uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/V1se:rCHFP3ZAtWDDILJLovbicqOq3o+n89/T

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe

Executes dropped EXE 1 IoCs

pid	Process
4888	tmp6D21.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp6D21.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6D21.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
Token: SeDebugPrivilege	4888	tmp6D21.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1492	4832	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	82
PID 4832 wrote to memory of 1492	4832	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	82
PID 4832 wrote to memory of 1492	4832	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	82
PID 1492 wrote to memory of 2348	1492	vbc.exe	84
PID 1492 wrote to memory of 2348	1492	vbc.exe	84
PID 1492 wrote to memory of 2348	1492	vbc.exe	84
PID 4832 wrote to memory of 4888	4832	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	85
PID 4832 wrote to memory of 4888	4832	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	85
PID 4832 wrote to memory of 4888	4832	226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe	85

C:\Users\Admin\AppData\Local\Temp\226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
"C:\Users\Admin\AppData\Local\Temp\226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t3umx67j.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9972D4D88B42F5AEF25B122C8B7052.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- C:\Users\Admin\AppData\Local\Temp\tmp6D21.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6D21.tmp.exe" C:\Users\Admin\AppData\Local\Temp\226e884859c3084e1e624ce7c0d0631101291c78a37712aa2901aed2244ee48dN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6DEC.tmp

Filesize
1KB

MD5
2cde3eeb6aae5dfdb6be25e5803b70bc

SHA1
aa22c94d0498fdf503b2fd468848ef0b913704a5

SHA256
9974479308ab53096889a77a20b2448cb607f227f13af19b287b2ab193031897

SHA512
c4844104daee2c3bf39c7e72b95ed27bb0dfe8eac9d74472c01749dcc48d23c00b23112d52fee0a2cdbcc95ca394829207c8c5efcfd361e47eb82f31c70e33b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3umx67j.0.vb

Filesize
15KB

MD5
0a9e1f59a8811423188eb85ab12a39a4

SHA1
f85ba51d7b396b71655e5956733baccc9c231c12

SHA256
6725ab1922fb7b6fbcd0e6d96f1a58b7e1179d04da2fea1cd339429b8f13a1f5

SHA512
2e53cd660e94713e0da1931f00cae0056df6af26e61eb81e941a9d1ee4f4b0e12d1b9e0a6491fbc55d0cf43bde08576b4adae1e162f2c7a1bf1cc5c1f9d1c037

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3umx67j.cmdline

Filesize
266B

MD5
4ed68c62310fc52e340cdbb41aebce71

SHA1
933bdd449a88a25f0cd521fe8c7ac6814f621ffb

SHA256
0f9f324d2ca66732aa7bff6b5a1624e8e51b1184a67c80a720a01f72bf7287df

SHA512
857918fd885191e6ae615a3e03248e4806bd8d29425a1372fa5ee4f6982755f2f1a6debec6a6073f2c6c96e9fdd2ffd14ba42fe695a48db36456db859680f74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D21.tmp.exe

Filesize
78KB

MD5
93ec218ac2096aa1d3a6f53f92fc2904

SHA1
7f35dba335bfb6ae0a35f21d757a0a8331bf7df7

SHA256
d6529c128666ddc480a606c7959be2f1dfe223827133084043ad4cdb0d886b55

SHA512
c463d6e2dc422aebb6919f651180d5cf1052da6bc1d6c78a4aded03455a0c97cdbca071a8152b5ff0f60f2ad84ffb54883d133f39e209777bd43b62b66a10c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9972D4D88B42F5AEF25B122C8B7052.TMP

Filesize
660B

MD5
a2e6f0fc88557cb216b1f5140d4f87b5

SHA1
ccda09f294a0c22bcbca9da542e68d08ff7a5402

SHA256
4a520f0553b7dfceb9a858609ea66211d9768d5158048db25ea16a72605926e7

SHA512
a70aec295f877325cf486fb3ab1b842e79236e89533c39528119da31b347b26097f9bed88e4bc3712a1691f6abe523eb6930be90cd6858f442541eafcf66d6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1492-8-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1492-18-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4832-0-0x0000000074A92000-0x0000000074A93000-memory.dmp

Filesize
4KB

Download
memory/4832-2-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4832-1-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4832-22-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4888-23-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4888-24-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4888-25-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4888-26-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4888-27-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads