metamorpherrat | f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6

General

Target

f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
Size

78KB
MD5

7b0a38a3578cf6c501f237a5c3f7304f
SHA1

64e0c6a658a53f29133912a6926a7731a6923d1a
SHA256

f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6
SHA512

0ccc62e6e7a0412834ee98920bf58cd2ee7e3275316509d82852f2f019d9ff1c1341958dabd1db5d8ce1e4cf141967ab005e0f6b8ae84ca0d7946f98556d283c
SSDEEP

1536:7osHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qto9/+W3:8sHFoI3ZAtWDDILJLovbicqOq3o+no9N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2760	tmp9E23.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9E23.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E23.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
Token: SeDebugPrivilege	2760	tmp9E23.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2372	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	30
PID 1644 wrote to memory of 2372	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	30
PID 1644 wrote to memory of 2372	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	30
PID 1644 wrote to memory of 2372	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	30
PID 2372 wrote to memory of 2928	2372	vbc.exe	32
PID 2372 wrote to memory of 2928	2372	vbc.exe	32
PID 2372 wrote to memory of 2928	2372	vbc.exe	32
PID 2372 wrote to memory of 2928	2372	vbc.exe	32
PID 1644 wrote to memory of 2760	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	33
PID 1644 wrote to memory of 2760	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	33
PID 1644 wrote to memory of 2760	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	33
PID 1644 wrote to memory of 2760	1644	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	33

C:\Users\Admin\AppData\Local\Temp\f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
"C:\Users\Admin\AppData\Local\Temp\f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y_keruhk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F3C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\tmp9E23.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9E23.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9F3D.tmp

Filesize
1KB

MD5
b401c06efb483ed081f07c1ec3e38d66

SHA1
1b1eded372d2e6122781ad4990f2d0da575c027a

SHA256
2ff54643b49a3cf34171cc3e11e198d0362d45e51ed13446926b8e7b0cbef447

SHA512
e84e7bcb82f1f2dc8fd9f6d2ae3cdf61dccd39409c87076d1308318719726f92894a5dcfea921a7338013c14551e48ac48404ba4b21be398edb1141cf5aa6ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E23.tmp.exe

Filesize
78KB

MD5
5593d16f32a9a7704d7663574fd26dbf

SHA1
94b5a3ce2a94ee7a9b479f516d006eed9e2c116c

SHA256
f5875f630ee6926054f4b881e61b2d1a3dcc43d29fc326119f5a75e66f525a45

SHA512
91669df0cba8a1b3dd8aafc9360f5301c883720f4fcf2241988a3ed62283fbace479dd8e30fea75fa686b08735d4270e970093cdb4493deafd00b53ece0db620

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F3C.tmp

Filesize
660B

MD5
04c4a49919e2bc82d29b756e18f63817

SHA1
2e3c10244b97b288144f27f11cc38fc27bae4f37

SHA256
8eab30f858ef7a07ce890beb4d85b6c8797aebb91042e0157b90e181b6f71a3d

SHA512
00a875d481991dbfcb1866770511abcfc14d852e1167e2caf4811f425c85c728149735ee721471737ce91f64909ad82097a133d7e406f4aa16c40d291be69a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y_keruhk.0.vb

Filesize
15KB

MD5
de335fcccf9c842a423eba47cfd0c744

SHA1
623c2ca735be28af8df28aea6d4e5f5ebd5e67d4

SHA256
05fb67d8b125a75ff13b515daf7e009b111e0f15546884f0f232632ede8c9ec8

SHA512
01ee6c8d2731b7a15449512768d50e83598d7dd515fbfce0e3d78318ecde498c92680cf716dbda02be0191cce4fa0221fe00f977a4863729916fb2e884aa9297

Download Submit
C:\Users\Admin\AppData\Local\Temp\y_keruhk.cmdline

Filesize
266B

MD5
b43113eeea12e87c88b0b2c531f716ec

SHA1
167af8c08fd8370b8263828f297347222dc43f2e

SHA256
023c22c67b0cebc7181e3afe08f44b54190c539408c030dd84d6dca243836d4c

SHA512
7fa4d1776881e8634294e6a27fa32f6743b09760327cedab4565a05521e32e56c080fb9e085170e633f950662f9d76a1b2406e3522c4044f5afc540da1e0832b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1644-0-0x0000000074291000-0x0000000074292000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-2-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-24-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-8-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-18-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads