metamorpherrat | 62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e

General

Target

62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
Size

78KB
MD5

0c1c80a18b85a2d6f381559023794c7a
SHA1

0d537b5d08445d14aa82bfa1e398bcdae4da0468
SHA256

62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e
SHA512

8429c8878358fe650a8dffeceabda19b0fcba99e60686bd086f3096e8634fee1de507c176c1159aca05dfc66b7026160ed468fdd408aa3e29f418b057ab6ee46
SSDEEP

1536:4ACHF3uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/V1sr:rCHFP3ZAtWDDILJLovbicqOq3o+n89/6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe

Executes dropped EXE 1 IoCs

pid	Process
4216	tmp62B1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp62B1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp62B1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
Token: SeDebugPrivilege	4216	tmp62B1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 936	324	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	82
PID 324 wrote to memory of 936	324	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	82
PID 324 wrote to memory of 936	324	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	82
PID 936 wrote to memory of 224	936	vbc.exe	84
PID 936 wrote to memory of 224	936	vbc.exe	84
PID 936 wrote to memory of 224	936	vbc.exe	84
PID 324 wrote to memory of 4216	324	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	85
PID 324 wrote to memory of 4216	324	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	85
PID 324 wrote to memory of 4216	324	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	85

C:\Users\Admin\AppData\Local\Temp\62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
"C:\Users\Admin\AppData\Local\Temp\62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xamfeycm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES637D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD3ACCC3AC8945A6A54718B174753F2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- C:\Users\Admin\AppData\Local\Temp\tmp62B1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp62B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES637D.tmp

Filesize
1KB

MD5
a5af34b588a5657fd3c7500f2ce6d7e7

SHA1
7462dec88eae250f7e6eca12e16fafbd436ea753

SHA256
9b56322db625742eacb862b6f4289fb8c2a27cc94023a061d068edf715aa5317

SHA512
f7e83c5e8ab81dc9c3e053a25eebe31f2b99f1f3c57ae166831844f8fedec8a17fbb74ce59ed58222901a89719431165676aa5a14f66b40bbc8f651e8d96bb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp62B1.tmp.exe

Filesize
78KB

MD5
bdce714f9e1bf6a4d07f346925e6a8e2

SHA1
61e2c2789a9bde3dd7a89b31aaae3cb654544835

SHA256
ec65b3f56c04e2246920078e643f773780a320597b5b22ca8178e1cb4aa88217

SHA512
686b7df14bae523a0b446cfc7aac22fb39c5cd3f9b8ee7d6219a62a5de991b00830b2cf544d4a8519ddcd65cca6e3ac80359af16194cc2bb40c6db6f5be69311

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD3ACCC3AC8945A6A54718B174753F2.TMP

Filesize
660B

MD5
d75c89bafa57d9a3d32a6d0d33cec34a

SHA1
89e5ac24017c7701b4860f35812a1261b276f45f

SHA256
4467ad22055570a024b06fa1787c58231528ff94d84343eed9d3740d00841a8e

SHA512
7f110405f307c466cd9faf1e64a76ce7c31676f0d7b41d5afc7e388f1c05572e1fe622ce5f897fceeb9aa66f2c8cf02549d27884fbfa6e16ff513c2c0cfd25f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xamfeycm.0.vb

Filesize
15KB

MD5
a85d3aa56a99ae72d9dec7bc590667aa

SHA1
5a6f15940ec3cef3b3d9f14807b603c39bb7bfd1

SHA256
14facaa5332288c8dfe6cbad1b12b5085b9806ddcafbb41816223e7f7fc8e289

SHA512
49cfc71f20c1d2ff293cc1b2c6993a5bc7b1a135cd5b83abf498af6518c9389d673936a4b83813bd25ab9c6a10b83fdafbf871a0842972b69ac5c169d5574895

Download Submit
C:\Users\Admin\AppData\Local\Temp\xamfeycm.cmdline

Filesize
266B

MD5
7daa04f19309d49313baddabaf80c458

SHA1
97fdd8b682769ca24dc9bb1a58bd1317205eede5

SHA256
ae88db498b032678b325ca8ec76aab2a2aa2a00d3d6eb1b6b87015e6ae5af03e

SHA512
ae497c2d3975a72c1b65f171bcc5cd2d43d1a6757af3a45625a07c658d4109ed23dd2e07ded3c7eb5899ff349851a7b7fb0a0326afd45701a509e875ca82f987

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/324-22-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/324-2-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/324-1-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/324-0-0x0000000075392000-0x0000000075393000-memory.dmp

Filesize
4KB

Download
memory/936-8-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/936-18-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4216-23-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4216-24-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4216-25-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4216-26-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/4216-27-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads