metamorpherrat | 17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07b

General

Target

17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe
Size

78KB
MD5

12a825a3b7815ad79b3813f24d9eb080
SHA1

5a2b0f019475c52c2e2af9c2d8cbc19189c119de
SHA256

17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07b
SHA512

9841897007a239acee57d5971cac1bf5342773e11d740846faafe86b7ae6b07c943efe987807f46528d13b9705b75104a8861a58cc4a101d8f3a81cbe9db1c79
SSDEEP

1536:Do4tHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtI9/51qr:k4tH/3ZAtWDDILJLovbicqOq3o+nI9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe

Executes dropped EXE 1 IoCs

pid	Process
4500	tmp84DF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp84DF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84DF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe
Token: SeDebugPrivilege	4500	tmp84DF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 5096	4068	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe	85
PID 4068 wrote to memory of 5096	4068	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe	85
PID 4068 wrote to memory of 5096	4068	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe	85
PID 5096 wrote to memory of 2920	5096	vbc.exe	87
PID 5096 wrote to memory of 2920	5096	vbc.exe	87
PID 5096 wrote to memory of 2920	5096	vbc.exe	87
PID 4068 wrote to memory of 4500	4068	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe	88
PID 4068 wrote to memory of 4500	4068	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe	88
PID 4068 wrote to memory of 4500	4068	17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe	88

C:\Users\Admin\AppData\Local\Temp\17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe
"C:\Users\Admin\AppData\Local\Temp\17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kl_sonrd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8608.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF28D36248D6F411DA1EE6D49E614D98A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17884cf229aa63aaf94324abe95d530c3ac7ae99f5091f9d88b522f9432af07bN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8608.tmp

Filesize
1KB

MD5
923612f5bb979798b1b17c2e8f0d079c

SHA1
b14446b2591b1318a84392afea9153652864c950

SHA256
6b39bc1dd010349c2512165d3c12e9cb2e24ec9275ea8c53cf9bc483c76c155b

SHA512
8df40c88e25b3704594b8018ace8b07c37540cb607466713471c8ac38f9a334b00c07625524fdc675d21e1cc19e5cc27431035fe5b2c287444602ca56b1112e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kl_sonrd.0.vb

Filesize
15KB

MD5
dc4962668b9af3ac49243bceb086ad41

SHA1
8ff932fdcbfd2bbf7ab841bef8825d49e0b88805

SHA256
1bea8c7381823d72caedd59407c58b88520bad7c9ee173c8a58c706540e1cee1

SHA512
527f3910b91b4248879721b0ed240bf3cc404693f7f16910aa835a5cf86324cd8cb85c730d0497ec1ccdb02b9efd1292a8d24d2b99fa6fe8dd3f3df81d1179d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kl_sonrd.cmdline

Filesize
266B

MD5
9c41ac53d48b001fa905c7f33a78c471

SHA1
60d755799ddec9025ca63e65d378eb03ddf87ef7

SHA256
c1bba3a4647138371f476c9b974d5539dc03585a5f048b27781823e5b1f7c393

SHA512
3cae98842675ecab66d58ca92ef3e858d515a4ccbb5a2b9074ff29ebfc8ea6168257d2a20a9508539e7c80f1923bf619fb4c30824696ee1edf621bba7864a492

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe

Filesize
78KB

MD5
413e507f06c09b00ffc98c96abdb463e

SHA1
a30ebb552265ca6b76287162638fcf5992cf6ddb

SHA256
29c08a870fbb8a86eca22cc09ffb0a9239a91ba29544947d3eee2aeeca168be9

SHA512
e48c6f2b0ff843c52e179bc9981358267e37e219a0788c141cfdb2262e610732e2a20b09cee1ca77df6c3b4885d92e03ed62db2a404b8bdaedb54b4d504d61e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF28D36248D6F411DA1EE6D49E614D98A.TMP

Filesize
660B

MD5
b94b8d58c3f51de04e77b683b67ac039

SHA1
027cb73d63c718c1335261b01dec1b6e0092030a

SHA256
cc29d0887b6894057b1f63a45caecb46bbf3a12b9d78ce5cbd2aece32d4cd444

SHA512
a7c477d81028f43b36d76f8df0d2d7edee5d26b35f44365a859d7e38ad2aad69d51e89ba9f98ca1530b6f06bfb57f345445c6af328e0e9e580941351c5e79767

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/4068-1-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4068-2-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4068-0-0x0000000074FD2000-0x0000000074FD3000-memory.dmp

Filesize
4KB

Download
memory/4068-22-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4500-24-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4500-23-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4500-25-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4500-26-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4500-27-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/5096-18-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/5096-8-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads