metamorpherrat | 4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf

General

Target

4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe
Size

78KB
MD5

625f18d1027b2dccb9e21640672f61c6
SHA1

00713228d5e1ae8c9fce0ae977da3d84585dec3a
SHA256

4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf
SHA512

b26313dcfe325e972b450cd630cb695274571b2a636a9beb51f43ce42039739b22d7055c4da66d8ef74fdc1e86fce641239acfd8234c8c1f985c084f7d7dfc51
SSDEEP

1536:svy5lAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS639/S1PKE:4y5lAtWDDILJLovbicqOq3o+nP9/pE

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe

Executes dropped EXE 1 IoCs

pid	Process
4780	tmp74A3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp74A3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp74A3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe
Token: SeDebugPrivilege	4780	tmp74A3.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4384	1316	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe	83
PID 1316 wrote to memory of 4384	1316	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe	83
PID 1316 wrote to memory of 4384	1316	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe	83
PID 4384 wrote to memory of 4180	4384	vbc.exe	85
PID 4384 wrote to memory of 4180	4384	vbc.exe	85
PID 4384 wrote to memory of 4180	4384	vbc.exe	85
PID 1316 wrote to memory of 4780	1316	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe	86
PID 1316 wrote to memory of 4780	1316	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe	86
PID 1316 wrote to memory of 4780	1316	4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe	86

C:\Users\Admin\AppData\Local\Temp\4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe
"C:\Users\Admin\AppData\Local\Temp\4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\daf3kjjg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7705.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB371C287FE0E4D0CB9C35CB63FFA2DE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4180
- C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f3356119cda2529b5450c33cb1bfab6822641a979de1b9f97150cdad94e01bf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7705.tmp

Filesize
1KB

MD5
1590e8c6e221ec36664ef07d30f95f51

SHA1
a152665bdc3fbf52c2a18c26b55f04e71e27b798

SHA256
9fba95d439b4b03e837197fc1da0f0b17c210e9fb7396ea0492118234662bdf1

SHA512
35efc15d5ff6001db56ae2753bdc0ddd515032f50ade79c47251c25bf609dc7788ea397ca60b645f8a1514bf93f73d8e55085c6202249a4b2fa7fdc191c4167e

Download Submit
C:\Users\Admin\AppData\Local\Temp\daf3kjjg.0.vb

Filesize
14KB

MD5
31b31bcacf99f67170cea664ead1870e

SHA1
6deec67f7cd8e1856f40a6cf19596c181148a98a

SHA256
0a504b49e8a3834723f38d0d8dc7b3a961e918028222697bba4d913eadaca2ce

SHA512
310af008fbc9e8afee7fad649b4c7ab1c1b12130370692bc7761ba0a4da324270df63aeb2a51857f6d632a0ebd0a7be452b299c0f1dd18d825afecd110f25834

Download Submit
C:\Users\Admin\AppData\Local\Temp\daf3kjjg.cmdline

Filesize
266B

MD5
e447777b83ed34ea5b1cc1374846a8e9

SHA1
2fb18cd30a42f7ff11214d0ec4d18ac2454ccd1b

SHA256
0165e728152b7dc9d34e1c442488df380ef371a8ce63781bd617078dc4f51bff

SHA512
7f7aba56032b03a0cd63c4c134ea0c5e7155337eb8befc51535ffeba7a4354079fbf7782ce7d8c1fd28e63b5b9f195ee2899c63a037a5c83865392ad647ce5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74A3.tmp.exe

Filesize
78KB

MD5
85519253ab521a7a73555ae235d0a9d2

SHA1
faeb219ab36eea483db82e2f0803cfd97faeabda

SHA256
5afb549a92db6842aa2c9b5c1429676f55225b896495d3b7d66faa21d5812c26

SHA512
c6b77f200d5a3532a5156e8cf4a9937c387d314fb4a27dd2dbfc54f83f85cc34e744383302f106955ac64c444fb6b0cbb6b094e0dc624477dd1022829571d678

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB371C287FE0E4D0CB9C35CB63FFA2DE.TMP

Filesize
660B

MD5
962ae2c136f70946baadde34c07d78f2

SHA1
67bff3b55bc40e593c722e863b908efc51e5950a

SHA256
856127689bb47c94cc836f133275ae88a725fb8fe8adf88b87ed7f5f0cca5cfc

SHA512
e067cae774820e75fc3a48ae73b7252a66894ca3ad4739ee40504f7afaa524525574c376127b22df14781f6d91d66d9e4bccf536b8535f80af597c8b28f6765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1316-23-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1316-2-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1316-1-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1316-0-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/4384-8-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4384-18-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4780-22-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4780-24-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4780-25-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4780-26-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4780-27-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4780-28-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads