metamorpherrat | 3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd

General

Target

3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
Size

78KB
MD5

5f0c86b976c87080308f6fc2d3ebe4c8
SHA1

5da80f5e8899e3fed0e77abf18c3a113815d356c
SHA256

3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd
SHA512

cb99ca70a12a446407bb18665660262d006eecc8e2081385213e25aa12b98288a6b9327eedba4136fd164e52ccff8f151c86e67bb0f1477d862b864f1996cfeb
SSDEEP

1536:QhHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/4L1+:8HFoI3ZAtWDDILJLovbicqOq3o+n89/J

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2748	tmpC726.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpC726.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC726.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
Token: SeDebugPrivilege	2748	tmpC726.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1884	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	30
PID 1480 wrote to memory of 1884	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	30
PID 1480 wrote to memory of 1884	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	30
PID 1480 wrote to memory of 1884	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	30
PID 1884 wrote to memory of 532	1884	vbc.exe	32
PID 1884 wrote to memory of 532	1884	vbc.exe	32
PID 1884 wrote to memory of 532	1884	vbc.exe	32
PID 1884 wrote to memory of 532	1884	vbc.exe	32
PID 1480 wrote to memory of 2748	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	33
PID 1480 wrote to memory of 2748	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	33
PID 1480 wrote to memory of 2748	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	33
PID 1480 wrote to memory of 2748	1480	3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe	33

C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
"C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4t_mp0ok.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC820.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC81F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:532
- C:\Users\Admin\AppData\Local\Temp\tmpC726.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC726.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4t_mp0ok.0.vb

Filesize
15KB

MD5
63a2f2c5feb6ce0bcb0acab185688e14

SHA1
5e4205364274b214d0eb4bbca6520c7a40a63100

SHA256
cac6a0f3009431bcd23f7170a6119c66acb49142492edaadbe3e9c9aaf1397b5

SHA512
afafc897c8e465b8884d7e001e4db53052966adb8b5b398dd5b26a8d6083061e4a9e6f47a0ab3a75de81365246cd2dce33ed7a4d0792cb83fb96f48ec2fdd53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4t_mp0ok.cmdline

Filesize
266B

MD5
fdda960d52185e56eebbdebdba80d65a

SHA1
b219510f9f1983c4a43b6da65ff7e89ecc1dbe1e

SHA256
588b978f29b0de8b863e82383a1137198155899a09e405c2de03badee8bfd7c4

SHA512
e6d1414a1b63d8c75d235b197fe6d2a2b50c41bc05e75cf12a8e1ec52ae42108e6f68cff379472bbd1f2136e58357f2535675295cfef08422093ab3ae56a48c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC820.tmp

Filesize
1KB

MD5
dfcd30671bafa61e62e89f3666bc993c

SHA1
e920d218f878f001ac26e66c3f2e8bc89d7e2147

SHA256
18a7c42166578a7efd57ecefb8ea6d5816047982739540e1c9007ca6eb0c5753

SHA512
1e2a3bbf594e02100f42bb3337606c8fca8a797a977ae17e84b6b41aae560f2a82c313bd9dfe7bc49568bfb4073ba992bc9eae3f6ce6bf752f06bea1d702d266

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC726.tmp.exe

Filesize
78KB

MD5
5b2943b70a2c71c2bdcc844e86a046e5

SHA1
1d79d0a3f1c6771135d41c87041405d271965e42

SHA256
1168191c790449fe0716a99dcd622f9a8f694517353cec9a640b6ee4b062f10e

SHA512
5033a25c4b423d770e65e36c98ac53549b2b948122bd48673fd44179ea2674093d8913ae57a94c11ab92a92a16c608747999217bf6fc996fb246236f8530f234

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC81F.tmp

Filesize
660B

MD5
d9364e1102cb9513f9f6712db7d66d3a

SHA1
2328115802f629c4140bc48c2b4257643aa17ea0

SHA256
267c4b2c6dfef1ecbca18ed661d807ac42efc94814d3208fbab46c89c4285b97

SHA512
ebd115cefbed04b735c787457f36d8eb881c08c2127a2fb5a82eed497cd73611e4665b065fd0dddcd20ae870a1305e3316338173564b96191e040c49e1f0e4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1480-0-0x00000000741F1000-0x00000000741F2000-memory.dmp

Filesize
4KB

Download
memory/1480-2-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-1-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-24-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-9-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-18-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads