metamorpherrat | 579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5

General

Target

579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Size

78KB
MD5

99617f3bbab569387123948643b7dd63
SHA1

70bed73665101de3b8f6d511e8caff2157b312e2
SHA256

579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5
SHA512

2126c520f4bc5ff3d3bb895329241feebcf35ae7a2b0caa2fe5292eb3d039184359a49354b334844e35d07023f4c647a6c3490b56a7aabed9330f0bf0c1bcb6c
SSDEEP

1536:Do4tHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtI9/51qT:k4tH/3ZAtWDDILJLovbicqOq3o+nI9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2760	tmpEF6E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpEF6E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEF6E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Token: SeDebugPrivilege	2760	tmpEF6E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2740	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	30
PID 3048 wrote to memory of 2740	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	30
PID 3048 wrote to memory of 2740	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	30
PID 3048 wrote to memory of 2740	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	30
PID 2740 wrote to memory of 2696	2740	vbc.exe	32
PID 2740 wrote to memory of 2696	2740	vbc.exe	32
PID 2740 wrote to memory of 2696	2740	vbc.exe	32
PID 2740 wrote to memory of 2696	2740	vbc.exe	32
PID 3048 wrote to memory of 2760	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	33
PID 3048 wrote to memory of 2760	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	33
PID 3048 wrote to memory of 2760	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	33
PID 3048 wrote to memory of 2760	3048	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	33

C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
"C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnizairt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1AF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF1B0.tmp

Filesize
1KB

MD5
03750bc756f9ce3ccf6e24a78c206ea7

SHA1
9359863f104ac700151844710ee09a1a76334ddb

SHA256
9f9efa0240dfd87bd94bea15a86bed489995b9a15e8152ad2f59eab7eacaecf1

SHA512
59dcf89fad286abfcb321907d91c723ff136cd9a32e013ff5088ffc6b5ad3970ef6fcdbd35bf4903a536225696b12492e7143b3dc979c8bf2a099b26f30a6cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnizairt.0.vb

Filesize
15KB

MD5
9c583b46dceb20cbcf4131f9e8a085da

SHA1
2e724746fe230884e4f6e9671302ecb39df12ff2

SHA256
e6cbb139c6e7632783d1c49adb24ec20d67e62fa3ac1c5e31ada954e1044db0b

SHA512
444199759301c734af38c512417cc6a2b69f5bd681fcf693c765962ffe8ef455890ab7ac39735043b086c8fab17fda339697fc82788b637030d8e05b9c460e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnizairt.cmdline

Filesize
266B

MD5
e3fde2ebd24d96a676403aa18c973c56

SHA1
287ca5a59eccba16f6fe3a483f5380b48332c8a6

SHA256
83aa37cb39ff049ec6426b079047f2cf3081e0a9a4b689259b65112b49291091

SHA512
a39ac918d34f4b97706204616b5f01f57c5f5c592a23594cc2c26518e2cc0922633723710da84bebbeee404955c60220b627c10beaa597f9406c7017ce70c186

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp.exe

Filesize
78KB

MD5
0b3d8877c992efde319abf5101f1800a

SHA1
035a68635fc402d12ecba1a1df82b8d5afa438ca

SHA256
aaa7a9935a8779c83fbd3b477983f93539a1cb6df9c60ac698a4f8f856f0d380

SHA512
4c3bf58d4531aac4039e8cab7dd74819456c213f3521b4f15a86c3f959eeeb48dd0aa88a485485bca87e76ba56430e07b3e8031364c99729b93b70ceb761e3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF1AF.tmp

Filesize
660B

MD5
f99a09501f157b0c5292335632373518

SHA1
352ca05e5b983d73cdb6a86943a81815352a66be

SHA256
3f5f309e71fb90446ce1ef2ee1e2548fc10392e573c7fdf5aadadac05adc44cc

SHA512
24130a42353e65588ed68e03539cee8f3aa30bbf7ca925628c6340899a6835c058c79a541d831581b975d2587f116a215e9b89b4ed31254727be38b9e25bc717

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2740-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/3048-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/3048-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/3048-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/3048-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads