metamorpherrat | 13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974

General

Target

13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe
Size

78KB
MD5

14c6df8a7a558231d17248a9239076ba
SHA1

6f022de51894a18f10adfea72aa5019571e15e37
SHA256

13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974
SHA512

6c29e54cc51d8fd4b25644ec3889f9de4aa5695ce052c362ce86f1db381229f857506f1528e71b4ac0d8d7e5bde018b582debbe7d71ef657938321df1cff5b2a
SSDEEP

1536:5o4tHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtP9/31V:e4tHYI3ZAtWDDILJLovbicqOq3o+nP9f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	tmp7724.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7724.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7724.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe
Token: SeDebugPrivilege	2564	tmp7724.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2908	1356	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe	83
PID 1356 wrote to memory of 2908	1356	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe	83
PID 1356 wrote to memory of 2908	1356	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe	83
PID 2908 wrote to memory of 4012	2908	vbc.exe	85
PID 2908 wrote to memory of 4012	2908	vbc.exe	85
PID 2908 wrote to memory of 4012	2908	vbc.exe	85
PID 1356 wrote to memory of 2564	1356	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe	86
PID 1356 wrote to memory of 2564	1356	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe	86
PID 1356 wrote to memory of 2564	1356	13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe	86

C:\Users\Admin\AppData\Local\Temp\13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe
"C:\Users\Admin\AppData\Local\Temp\13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p_xraz5x.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES782D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A176C237546B1A288A87FA2DD299.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4012
- C:\Users\Admin\AppData\Local\Temp\tmp7724.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7724.tmp.exe" C:\Users\Admin\AppData\Local\Temp\13532b5fccc839db8c7849786afb9b3960d312eca79a19bca9429f979b32b974.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES782D.tmp

Filesize
1KB

MD5
7de1d317081a57066786e2550081bf16

SHA1
a0fa3a344422d187af04d1df8cc06f1a83eec632

SHA256
2a806b195fb9574f2d42ed51029378b3656d3d0a7a3e1a648f7b85d39c21530b

SHA512
cb7f3ac57b4da0993328cf299d7b85ec5b72ba420d671edbc453e60a5f9be526065ae11f1e9b46c728a5754e90db0cceb284517123bb8ea8515bcbb1d2359d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\p_xraz5x.0.vb

Filesize
15KB

MD5
9d0f167a5d2905c392a636b1a5392f44

SHA1
c98a77399ed10791f3b57f85b92f1448554ab90a

SHA256
e601fe9a899ce97e041cea25d53f0f31b986d63da92450dd4044526c82b2c583

SHA512
739ceeb8d01cca6d972f0194a26c161db2ffa161730239a2ed49b70424db603b60f9dfa477a963aadc1cf0f7df5c2d63e2f1762f5cb34bdf5f3458be53b520e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\p_xraz5x.cmdline

Filesize
266B

MD5
2ad76e5102a78e0001a864e6f3a78b1b

SHA1
a2be12e03675883844a4ff1bb9549b3699f53eaf

SHA256
03a228796365dd262360cbf686cf3e5359059639e8c3cfeb74230f0996e4e341

SHA512
fb05bb3ecf67363e01cef5d2e9d166127dd05cb14db7dea811bd6eaed85449223eda04ce81adb2c39dd85be0044be0d1d1c3837e6cbe9238948a302c5d441b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7724.tmp.exe

Filesize
78KB

MD5
18b6ebf88c890aab80a75194b78d05c8

SHA1
3642e95b8bb1c9229c4487093f35f429197bde4c

SHA256
c2101d0f35bd117199e12eadc64ac6d44e74e32eb6fe9b6eac4ab09f68527074

SHA512
0876eff527b389c715169c693c6d0d66e5afdfa02d9f02e45e3eaed3dff4eff998a06e3e5b83d213ec9f3c7a7271c3e84e76cd13e71f9ab3b89f4557dba46a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7A176C237546B1A288A87FA2DD299.TMP

Filesize
660B

MD5
8bdece30657826a32fbf4ffc33b37222

SHA1
da2f606c7653a211f0f78634143d34d585fb774b

SHA256
87b8758f50c0c7e16738d185d71f641526561e01f6ff1ef386d6606e963b1771

SHA512
9bc8c9e29132a621ca919912300547b71303fa18cc87f2eb8ba5967f00bc91ed40a47a62449ac3861eb301393c1a627e33a765f8ca2fb7b5dd7d4746b2b24c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1356-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1356-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1356-0-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download
memory/1356-22-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-23-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-24-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-25-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-26-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2564-27-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2908-18-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2908-8-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads