metamorpherrat | 579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5

General

Target

579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Size

78KB
MD5

99617f3bbab569387123948643b7dd63
SHA1

70bed73665101de3b8f6d511e8caff2157b312e2
SHA256

579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5
SHA512

2126c520f4bc5ff3d3bb895329241feebcf35ae7a2b0caa2fe5292eb3d039184359a49354b334844e35d07023f4c647a6c3490b56a7aabed9330f0bf0c1bcb6c
SSDEEP

1536:Do4tHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtI9/51qT:k4tH/3ZAtWDDILJLovbicqOq3o+nI9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe

Executes dropped EXE 1 IoCs

pid	Process
4972	tmpC350.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpC350.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC350.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Token: SeDebugPrivilege	4972	tmpC350.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3680	2904	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	82
PID 2904 wrote to memory of 3680	2904	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	82
PID 2904 wrote to memory of 3680	2904	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	82
PID 3680 wrote to memory of 1708	3680	vbc.exe	84
PID 3680 wrote to memory of 1708	3680	vbc.exe	84
PID 3680 wrote to memory of 1708	3680	vbc.exe	84
PID 2904 wrote to memory of 4972	2904	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	85
PID 2904 wrote to memory of 4972	2904	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	85
PID 2904 wrote to memory of 4972	2904	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	85

C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
"C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xbx6rcns.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC534.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C84E80F91F413CB3AE1AC5D0176431.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.exe" C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC534.tmp

Filesize
1KB

MD5
9f8441883d8fd962fcf8c1cc62575b23

SHA1
6bf7210a95da190e0d6c0853db9be8a005fa2e31

SHA256
160a8e51718bbd870a035eae6026193ebe6104bfc310b3a1e20a300fa786540e

SHA512
8b6a12c1dde438555997a45524007d8b8a86f95585a331d25ccffeeb5a52309cdbff68be1f0367a0986eefe5f578d141079a81dd06f02f2bb0e8fa8fe1e1c248

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.exe

Filesize
78KB

MD5
f35e8675fc18ef21d7fe6a92a89a5ca0

SHA1
e2d4bf5780db08ef1a89c352c6005d3ade18fa3e

SHA256
0adc269e654c20a6750892ad64935909bdfd1c052c7554a80154d7f7dd434cc3

SHA512
f42fa66895e578e2e607571268077d6e0d6db8a340f339bd94d508d81749ca4e54f84c104064b3cd479c7c30584f12c3e4833fc94738cfbb968426dbfea39ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C84E80F91F413CB3AE1AC5D0176431.TMP

Filesize
660B

MD5
1c6cf140814bb27b4dc4de460715f9a3

SHA1
2e875ffd244f2f6e28e30780298e67741622bfdd

SHA256
2169d8ad74afcbcf5e28fb23d267c532ea7fc37fe32c92c9f28c13713aeb69b3

SHA512
a25dbe4f8011a253a7ed8d7f00c1060ffc9be942207f583317d8519fc119e555762806843f007753627c1895df7bc63e0ca646b5b00f53c982e1dfdfcb9f9fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbx6rcns.0.vb

Filesize
15KB

MD5
68f4b69b1984576389ad6f0ccde9b608

SHA1
a0523b0d7d578443f0e99b1c891e4b2ab058d629

SHA256
6a2d48f5340c74246942977509153ff4db97cfb802e957f265f932c9581efa64

SHA512
7026de31e1d7259fde4fc739fdf013fc2b280cdb361aa85d98abd0ba7086c0d95ac2c5dee38bdacc1a82d4391a50315ba1a9a81ca9ad3d1e49a9ac7306e9a368

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbx6rcns.cmdline

Filesize
266B

MD5
6b6e0bcbe55658eb7c88950c6af0944a

SHA1
d16a8e8722e538de7a9fabda3767b9930b31f5e1

SHA256
edc904e65042796559cd9bfe577b586112c9156563bdadbdc1545b5551dd614d

SHA512
7538987e54ff3a23c4b99355010d8c7d8629632aac667907d31a9d7185d1ad3c8638004e1905b25e7e7ef5366689243c37c4005b7f283ddec0f5b0f5a81f7fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2904-1-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/2904-2-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/2904-0-0x0000000075492000-0x0000000075493000-memory.dmp

Filesize
4KB

Download
memory/2904-22-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3680-9-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3680-18-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4972-23-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4972-24-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4972-25-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4972-26-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4972-27-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4972-28-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads