metamorpherrat | 2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509

General

Target

2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe
Size

78KB
MD5

2bf1fc5fc39a05ac6f85f38847b3ca60
SHA1

a8325a6233e86978851be69b29b94c47bba3922f
SHA256

2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509
SHA512

dcfd2ac642d05e2684d9acece61b665296f19c50490c41cbbe47b302e0c0e6b5265343afd9c9ac78c44dc5479aecc06d4c83f14bcd9509d68abca9d69016c421
SSDEEP

1536:yVc5fAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS649/j11NEK:oc5fAtWDDILJLovbicqOq3o+nw9/jqK

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	tmp7937.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7937.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7937.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe
Token: SeDebugPrivilege	2316	tmp7937.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 888	4872	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe	82
PID 4872 wrote to memory of 888	4872	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe	82
PID 4872 wrote to memory of 888	4872	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe	82
PID 888 wrote to memory of 2640	888	vbc.exe	84
PID 888 wrote to memory of 2640	888	vbc.exe	84
PID 888 wrote to memory of 2640	888	vbc.exe	84
PID 4872 wrote to memory of 2316	4872	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe	85
PID 4872 wrote to memory of 2316	4872	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe	85
PID 4872 wrote to memory of 2316	4872	2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe	85

C:\Users\Admin\AppData\Local\Temp\2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe
"C:\Users\Admin\AppData\Local\Temp\2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ebtiju1x.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64EEA100B5974BC8A75FF2851C2659BB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2a60f5beb7e76d1142c00699aa864dfac91f1024c5d81145c506a57d261be509.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7A31.tmp

Filesize
1KB

MD5
c7eedeae33ae93c35f1b9e82041d733a

SHA1
75b25f2dae82613a7c7e4e8c528c0799a1f3fbb4

SHA256
7c289c493272b203079ab4f1e3adb9330d25029ec4f7469842e1f7f665b3e61d

SHA512
2387df0a1a592cc396825f779e0d6980695057153324b5ba0cd237742a7863761e717ec66847b97ae281f897d6d3ae130699fa3636ba19c6150e2cc9ae87cae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebtiju1x.0.vb

Filesize
14KB

MD5
46f7bfe4b122bd0ec9f80de99131dd9c

SHA1
4088871e8c89fab0df40b5ad7a85f55ff88f084c

SHA256
3a5efd4fd302a01250a2ca9ca498b1b72a2bbf88cc2a1f36e57d69ba80d59d02

SHA512
d6ad7fd337757a4cbb0b083bccd3224b9fdb42a40c37d46c8af9cc719ec49527359c9162cd4e6bc694137207f5a7bc910c6c2858f437acc24cdbc90b1a9eadfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebtiju1x.cmdline

Filesize
266B

MD5
1ab1a4755ef51833c06f57181e7a4ee6

SHA1
a32c1bd74d5977d7c1188fe68a3100e589867236

SHA256
6bf364b64eed234955bc8f61170a857e66c7673f46025d2e13ed4bfbced50827

SHA512
cc8a7f43d20ffc3e8e4e70c4047e746895a2497f457971813321ceab298f3f1e99bff540b83a06cd74d24f38ddd501046033755d23c969d522772cfe9ed198f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp.exe

Filesize
78KB

MD5
2eee10628ca601a7da2ddb3f8f00e7ec

SHA1
6e22dfb0c2aa67dfd7891046f55e742bd42d1b0b

SHA256
6390c34b8ec905e5acaba1422794e8ffd17677af658f9874621076ee589be936

SHA512
3ce466d943a3698e405602beb87a4be31a2a76e470562bca99f51ca3f7b652631fd48348c1b65a3b26dbd6dc9e773f95e91b71bf58e878a91db74de3348c7dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64EEA100B5974BC8A75FF2851C2659BB.TMP

Filesize
660B

MD5
c187a36602c2a503c0b1d47d69203227

SHA1
5cd08172115df44c891a41e7ed3cd2a5f1743663

SHA256
7488e0cd46e459e32a5e14ec20a642cc877dbb5d9b24dbac6a550523d8bce66b

SHA512
94cbbfe77fd4e7fd9bd084c6dff30c5f88c7faf5b677b0c528e438614cbdd5f48c66eb8aba35cee47eba9fc8596ae12e03096ca8f3b57f92a31e5b026cb2b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/888-9-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/888-18-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/2316-23-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/2316-24-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/2316-25-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/2316-26-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/2316-27-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/2316-28-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/4872-0-0x0000000075252000-0x0000000075253000-memory.dmp

Filesize
4KB

Download
memory/4872-22-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/4872-2-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download
memory/4872-1-0x0000000075250000-0x0000000075801000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads