metamorpherrat | 579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5

General

Target

579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Size

78KB
MD5

99617f3bbab569387123948643b7dd63
SHA1

70bed73665101de3b8f6d511e8caff2157b312e2
SHA256

579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5
SHA512

2126c520f4bc5ff3d3bb895329241feebcf35ae7a2b0caa2fe5292eb3d039184359a49354b334844e35d07023f4c647a6c3490b56a7aabed9330f0bf0c1bcb6c
SSDEEP

1536:Do4tHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtI9/51qT:k4tH/3ZAtWDDILJLovbicqOq3o+nI9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe

Executes dropped EXE 1 IoCs

pid	Process
1260	tmp9654.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9654.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9654.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Token: SeDebugPrivilege	1260	tmp9654.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4864	1720	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	83
PID 1720 wrote to memory of 4864	1720	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	83
PID 1720 wrote to memory of 4864	1720	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	83
PID 4864 wrote to memory of 2896	4864	vbc.exe	85
PID 4864 wrote to memory of 2896	4864	vbc.exe	85
PID 4864 wrote to memory of 2896	4864	vbc.exe	85
PID 1720 wrote to memory of 1260	1720	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	86
PID 1720 wrote to memory of 1260	1720	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	86
PID 1720 wrote to memory of 1260	1720	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	86

C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
"C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ucpvdbra.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF941126FE3554E21BF5FDC4FC72F9AA2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\tmp9654.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9654.tmp.exe" C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp

Filesize
1KB

MD5
22cc1aa114e8f68257726ac022084dd9

SHA1
ae3042ff228c735a528cca3c7b30459809e677bf

SHA256
c7af36b19a7b22d50947be3dd00ffafff7a42a9fc5c66573acc99b0404c4b8d6

SHA512
e2768103cbccdb64c4d58661a97e85705af37f1f191cea7f121fb15c3dd3341bbc192af2b0917a544b0fa1b5ee43d96d3bae0ae39b670890c010dde5df07cbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9654.tmp.exe

Filesize
78KB

MD5
0135ac89848fba40126eac6694cfa93b

SHA1
ea5b15299f118e50362c3363831d1869ef82bb06

SHA256
e02699d270a0347702d618d2ab0a51c4406563cebd0c5bbee33cc1ce48438bf5

SHA512
0551995b850d8aee2cb17204fb1e63351912e44f37217147b645f961242ce5c53dbd533d4278f7c825f45ab57f6f092d29f5ad8202d699b9472f3481d13b48e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucpvdbra.0.vb

Filesize
15KB

MD5
198a98123289e0caec258aa8b6a87b4c

SHA1
13196c786aaa5de18f99942c32523823446f6b24

SHA256
9a7473056cd2092cfa1b10688e40d2af14f6b325e16511db9c4204d37322faf8

SHA512
e09299f34f4aef808eb712849f284cdfdea1e6256ecb467c6c0894c8eaf06152333dbdf3c10a2550a449b61ad664172971fbb34bbee7986346f07b99fb0457b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucpvdbra.cmdline

Filesize
266B

MD5
572a353942eee52f96e95f51ad6b4362

SHA1
e9febe320d3f3954dd135817dd7d2b037d6bdcaf

SHA256
ed42574f462498f348ae20efc0fd1a248626a8c718517893e8155f8b850a931b

SHA512
ca795325942550ab31ef3a1996271b36ae79914c3a299bb406922a1ecf9eef81c995febc799e9a6b45a9cdf30fd906a9fb5c68a4cc4b097d72ddc93989c0f3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF941126FE3554E21BF5FDC4FC72F9AA2.TMP

Filesize
660B

MD5
6a604814e287e08b48856b0cd3b679d8

SHA1
cbb7eef611444255b435322145271ef360e289f2

SHA256
a641e183a3f6cefb6ddff4dbfd599396f916f320a42e6a96bbecd668a29f98cb

SHA512
87313c7b4270ec0feb25f6ea3852b5492e3582989f7701d8562e95fe515180956d0e49cbb6d6f9fe2a3f0e0516e2fb1d4f1a66128e22a5e4434232a3805f055d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1260-23-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1260-27-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1260-26-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1260-25-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1260-24-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1720-22-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1720-0-0x0000000074822000-0x0000000074823000-memory.dmp

Filesize
4KB

Download
memory/1720-2-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1720-1-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4864-18-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4864-8-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads