metamorpherrat | f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2

General

Target

f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
Size

78KB
MD5

769bedaefa73efbdbb4a456f208a4250
SHA1

345afffc48e5dcd99c97e6781d19bd679b033304
SHA256

f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2
SHA512

4e726cd3e0954ca61314f5b12105da94eefb5d130fa5e0444a2d824968e9c164aa31aba29f8083bf174f4b3b8c3e71ca5b0f49ab4f1ee72db2d7381c24ddc676
SSDEEP

1536:rBWV58UAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtt60m9/E1qv:tWV58UAtWDDILJLovbicqOq3o+nE9/l

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2092	tmp8852.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8852.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8852.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
Token: SeDebugPrivilege	2092	tmp8852.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2384	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe	30
PID 2508 wrote to memory of 2384	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe	30
PID 2508 wrote to memory of 2384	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe	30
PID 2508 wrote to memory of 2384	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe	30
PID 2384 wrote to memory of 2124	2384	vbc.exe	32
PID 2384 wrote to memory of 2124	2384	vbc.exe	32
PID 2384 wrote to memory of 2124	2384	vbc.exe	32
PID 2384 wrote to memory of 2124	2384	vbc.exe	32
PID 2508 wrote to memory of 2092	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe	33
PID 2508 wrote to memory of 2092	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe	33
PID 2508 wrote to memory of 2092	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe	33
PID 2508 wrote to memory of 2092	2508	f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe	33

C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
"C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aq4wrkry.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES898B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc898A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f5cc521574d00c38ce2f211e49c2cacd36a177b04a0cadc0d65c8d2ec9ba71f2N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES898B.tmp

Filesize
1KB

MD5
5ac8dbee14afca7d5d6e400dc5c235dd

SHA1
a5951a28ee1cac508b5f878c91384549c3bcac50

SHA256
33fc2ce426bd227ea7b26e8ef84a58dac36d02e6955a4694a7f759647f8afd81

SHA512
aaf876fb31aa0db8f101531162d6641e77f4365e1ecf74da1561173659d709b21d4a734ff9cfa5a22452761ed8432ec8ee1476ea8c9abde96411e14ec5cf1806

Download Submit
C:\Users\Admin\AppData\Local\Temp\aq4wrkry.0.vb

Filesize
14KB

MD5
cb0bfe1d3b74090211b8099fe06a5726

SHA1
4c6abbab1b809b4346124b2fcde6fd0ea5253a53

SHA256
54ed77c67f8f1bd8c621f281184d0f8bf69bb6976894327f45b5393e16b7d483

SHA512
c391b6921db618984bd4c1d3e6e7d939c0effeeafb8d78e6f59fe4eb41f8b1daa13070d6c6d802903093e1a90bc88d0260e6b58c21b403e4db57ae012a8e0800

Download Submit
C:\Users\Admin\AppData\Local\Temp\aq4wrkry.cmdline

Filesize
266B

MD5
2bc2a0a621a42de50d963de440b0b290

SHA1
a9b0a9815cdbd340f464c15503c67f0dca723459

SHA256
76499d2508c415992764a7246a98ffed27d7ce708861cfa08462fd152636ab7e

SHA512
467f97ec270253c2a623b5431843715f9d7e8cdff2e5c6feae00e73a895d8bbc71fd5a77253bad3b36dad19998e0398726c50eca05365130ab77e9cea5638e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe

Filesize
78KB

MD5
91fab7a09c267960c584ec4e01239f4b

SHA1
18a0b2a79586997edb414b39e373a19f64dac5cc

SHA256
6aeca9a1a8012892b9aa9d316062020ed2ab8acb355f3bc9f583e94b8b22b05e

SHA512
7e878c28a2c8112361720c6f3bc3bbe1a0a9115b5697286e06c86295dec79369d63ba2c732cead3db51d5b0f9142120e95e3f55e751292f363ffa57458510295

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc898A.tmp

Filesize
660B

MD5
e196b6a1aeea3c27b98c475dc0a36340

SHA1
ad9407dfe089d429d99d006695f46601698c628d

SHA256
63de2f79e354f6a095c7c751a84ca07c2b3cec7cd0bfc82a02e1860b988702ff

SHA512
134e20239be84d98c34f9a3e33130db4b7de7cab87758a9ca7a4097573434c855adca65cb98f162c33703aef20095606cd5baf324fef22a1837e57c5dc68ab25

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2384-8-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-18-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-0-0x0000000073E41000-0x0000000073E42000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-2-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-23-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads