metamorpherrat | f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6

General

Target

f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
Size

78KB
MD5

7b0a38a3578cf6c501f237a5c3f7304f
SHA1

64e0c6a658a53f29133912a6926a7731a6923d1a
SHA256

f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6
SHA512

0ccc62e6e7a0412834ee98920bf58cd2ee7e3275316509d82852f2f019d9ff1c1341958dabd1db5d8ce1e4cf141967ab005e0f6b8ae84ca0d7946f98556d283c
SSDEEP

1536:7osHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qto9/+W3:8sHFoI3ZAtWDDILJLovbicqOq3o+no9N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe

Deletes itself 1 IoCs

pid	Process
4024	tmpB016.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	tmpB016.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpB016.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB016.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
Token: SeDebugPrivilege	4024	tmpB016.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2040	1352	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	82
PID 1352 wrote to memory of 2040	1352	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	82
PID 1352 wrote to memory of 2040	1352	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	82
PID 2040 wrote to memory of 1816	2040	vbc.exe	84
PID 2040 wrote to memory of 1816	2040	vbc.exe	84
PID 2040 wrote to memory of 1816	2040	vbc.exe	84
PID 1352 wrote to memory of 4024	1352	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	85
PID 1352 wrote to memory of 4024	1352	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	85
PID 1352 wrote to memory of 4024	1352	f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe	85

C:\Users\Admin\AppData\Local\Temp\f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
"C:\Users\Admin\AppData\Local\Temp\f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dfwk8olb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB100.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9CDD42087FDF44F2AEFFD681DB923036.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f23c65c11f2f9ab9a4ea13352f33f9fddc54c6ebb21182bacf0dd658c8489ad6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB100.tmp

Filesize
1KB

MD5
a0da6f16266da2ad9ef140852e4fcdc9

SHA1
23e7f241a2ea1c244a8344e5c748acc5325d3258

SHA256
e94641f09c9d6a8fcbe60739a0a4b87eaefb19954a624bef3addda3908968bf6

SHA512
59e7d367212307ec4aed3a3ff66c20145e9ec5c05c97c071317f231ec2dbe15346841a852eba6d42969e21e035ce3323b2905490aa8c74b90413dd65e2cf4239

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfwk8olb.0.vb

Filesize
15KB

MD5
59df3fb39cd58457d0e20c5417b4f47f

SHA1
8cf117f29315c54a6d18d68510b09a61b5180dd4

SHA256
6c5782552c1aeac42a8f4405c5d1b13f7ab1efad8121d8370ad6638577a8e2a3

SHA512
4ad11f9cee2db7b63ef00cd719f32b36caae8ae95f610c5a33528539e196f07dbbca42984942c5c5557305eb9aaad59a417cea63063bae096c8c12ce16d579c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfwk8olb.cmdline

Filesize
266B

MD5
c3e43a1cdc7e145e63d706e86aa22b14

SHA1
223dd657b0263961b550de6a2bec6785a8a9e1f4

SHA256
d94edd2e9acc7a0a119822bcda6c5fcf9d8e0581d7eadc04880355326c1c9e80

SHA512
9da34822b83542cf6157695b8448f8a84f07c64a1f77b6adebd6c3ef44a7f5391d4bd83c33547b35bba6ae457a2cfe49ded2a4738b382101d77ea218da4a3a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.exe

Filesize
78KB

MD5
cd5e707f7bd651b288372d68f67369e9

SHA1
a90b6d042d5f52282c4f57d6fa592c3727554a53

SHA256
f0d09783a8fbc92bd583be3eda9109dec88456d36da001d6f02af40cee34872a

SHA512
1625492bfafd78aabbe3ee00277265829227d29a8e5596887bcbfe9c674c49685d89662d73004b34ec524581ca8e58cf37ac5830b46659f9c10e7351ef279d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9CDD42087FDF44F2AEFFD681DB923036.TMP

Filesize
660B

MD5
ff2cf01334d3a579c75bb1c03245dbb0

SHA1
085d7700d28fc8b74c2877a90dd4be68f238920a

SHA256
808756173a518c4304b0ca487821bc524ab2957902c20a7b3fca36d8ce6982ba

SHA512
9fffea1842442d7505fd7bab8edb31c0aad573ab42c2f7dbff45b466a28b8f37bb8e0ef4a63e1993c7e2e4fdac1ae9729af2a180ed4688fbf09c2a7749bf7fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1352-21-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1352-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/1352-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1352-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2040-14-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2040-26-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4024-22-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4024-23-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4024-24-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4024-25-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4024-27-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4024-28-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads