metamorpherrat | 3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd

General

Target

3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
Size

78KB
MD5

5f0c86b976c87080308f6fc2d3ebe4c8
SHA1

5da80f5e8899e3fed0e77abf18c3a113815d356c
SHA256

3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd
SHA512

cb99ca70a12a446407bb18665660262d006eecc8e2081385213e25aa12b98288a6b9327eedba4136fd164e52ccff8f151c86e67bb0f1477d862b864f1996cfeb
SSDEEP

1536:QhHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/4L1+:8HFoI3ZAtWDDILJLovbicqOq3o+n89/J

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2464	tmp9666.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2464	tmp9666.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9666.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9666.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
Token: SeDebugPrivilege	2464	tmp9666.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2488	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	28
PID 1656 wrote to memory of 2488	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	28
PID 1656 wrote to memory of 2488	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	28
PID 1656 wrote to memory of 2488	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	28
PID 2488 wrote to memory of 2216	2488	vbc.exe	30
PID 2488 wrote to memory of 2216	2488	vbc.exe	30
PID 2488 wrote to memory of 2216	2488	vbc.exe	30
PID 2488 wrote to memory of 2216	2488	vbc.exe	30
PID 1656 wrote to memory of 2464	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	31
PID 1656 wrote to memory of 2464	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	31
PID 1656 wrote to memory of 2464	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	31
PID 1656 wrote to memory of 2464	1656	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	31

C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
"C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\toyj9z1r.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97DC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\tmp9666.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9666.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES97DD.tmp

Filesize
1KB

MD5
4e8636916459f63dc330f6ac85825606

SHA1
fbd4f2c7d038dd8ff21941407fda7b0027535be9

SHA256
691edf9f6c218533dd0a67a0dce5a9e310059f37899691d5265714d08e311159

SHA512
68e99d4352c2049749bc6a58f51a57f173c54edbda52e5a1f025954b905365222134539fdf06f96caa785a78126088f9725247520f199428dfbead815eb6bff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9666.tmp.exe

Filesize
78KB

MD5
da512004c739e74a72a405158cf95109

SHA1
cfa07f4a6417962f3c6b44ce276ac3072abc8ee6

SHA256
4ef87eae908d89d9622879f4f12e4f20e8abe1f6a7d25b735206c285ee1582a5

SHA512
884ba204193c542b2573526a2170da1f677cd03ee6f17007e8eb891ad8660510d6516a4b0b23a788481aa56ed392e8181fe1b18a5779bdf0e206851ac98fc9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toyj9z1r.0.vb

Filesize
15KB

MD5
8f7aa33bbc2adebed661c4f99ae64605

SHA1
1adf9c23ad5230b9e7911a73d9fa9aa2b7dc4be1

SHA256
722449dd5a6b896bf251540cb0801cfc10b5178e68b4fe5b97b4d5842c4c664d

SHA512
746bcdb7e45ffe4c65ae039eecb5b85cf4ffef2a2dc294fa7026cb37d38ca9103220eff57dace226e6b36276a3fbcbaa3b7cf47cffb5b39d5eb325be97195417

Download Submit
C:\Users\Admin\AppData\Local\Temp\toyj9z1r.cmdline

Filesize
266B

MD5
1aa0a7cc0f92dc04b4bb14eebbef3387

SHA1
36f35d315a488e3b1e518e071441e4d2bba1e103

SHA256
c0329ebfad25f7e9a0879fdeabce766bb39721fe9bac91e36863166b899d9ec2

SHA512
de9b675667f1f6f9c85acd9562ff79bf21102acbd215a5946cd7e579ed27bff843197d5409d4ac8c653f786a619d6e949da1d7b73d648a5643652e769375af76

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc97DC.tmp

Filesize
660B

MD5
8bde00beea789edae04cb37d8c8018d8

SHA1
ffa2584d966ccc8f3a154918616cd685e3e6f974

SHA256
0a5b97793eecd1488400a234185108fc4bb2416aa736a989f90ef81f3a3d4bf0

SHA512
5567c4975ef14fc018a5bdd6808f375403bf826490b366104a8002968558b6f894ca1e7083ff6da0ad4ee22287e48ce5649208850f6795bf6b0d2c709034bc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1656-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/1656-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-24-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2488-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2488-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads