metamorpherrat | baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2

General

Target

baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe
Size

78KB
MD5

f752323728897be495c894534e97b790
SHA1

874abe97444f7e4cb9500f726232b3c6be9b907a
SHA256

baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2
SHA512

8e9474fb201eef6723f46e8b8a206e9b2757e981cfba5d9bc0701697be67f6abe8bd3c2a00049440002e97ae1b87aa2b45966849fde93042fecc21407127047f
SSDEEP

1536:VVe55AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6TS9/D14q:3e55AtWDDILJLovbicqOq3o+nh9/5

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2932	tmpE531.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2932	tmpE531.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe
1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE531.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE531.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe
Token: SeDebugPrivilege	2932	tmpE531.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2456	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe	28
PID 1820 wrote to memory of 2456	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe	28
PID 1820 wrote to memory of 2456	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe	28
PID 1820 wrote to memory of 2456	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe	28
PID 2456 wrote to memory of 2208	2456	vbc.exe	30
PID 2456 wrote to memory of 2208	2456	vbc.exe	30
PID 2456 wrote to memory of 2208	2456	vbc.exe	30
PID 2456 wrote to memory of 2208	2456	vbc.exe	30
PID 1820 wrote to memory of 2932	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe	31
PID 1820 wrote to memory of 2932	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe	31
PID 1820 wrote to memory of 2932	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe	31
PID 1820 wrote to memory of 2932	1820	baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe	31

C:\Users\Admin\AppData\Local\Temp\baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe
"C:\Users\Admin\AppData\Local\Temp\baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h3ykukbd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6C6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
- C:\Users\Admin\AppData\Local\Temp\tmpE531.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE531.tmp.exe" C:\Users\Admin\AppData\Local\Temp\baf18f78f03db13b7fad06a05db07ce5691519036301628b3b14e06d715688f2N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE6C7.tmp

Filesize
1KB

MD5
17a977ef0b7ef7df83e4ee64489ab8cb

SHA1
7c8c8b5e5a30ed90811c88477c8f9f1d24648faf

SHA256
7a2cfca83ccc897893bbf104089f8196f385a5890ba23e632229c944083b8511

SHA512
0b782c37e1a3ef1fdf653078962157832dc3325fd5aa83a5ba1220bcb3f7dda7cdc95ec918c8699bb242d9626b6849dd76392a8cb9780cc72cd5e7e92095ee59

Download Submit
C:\Users\Admin\AppData\Local\Temp\h3ykukbd.0.vb

Filesize
14KB

MD5
8d3813c14118767a4ae7f385c4686a3c

SHA1
f5dd5fe9a62da5aecf112d32f1004fc97529aeea

SHA256
f7df167f5625e73e5d1888a17876eebf15ac29510d5903598c65484a313140ed

SHA512
96a523cd698aa33885049bed2815070bdcd934a0273e767b1d5134541280d8c5259c8f2afc720bd11c0bced72f8fd76d59db9f0bd899fb6477ddd2c185c4f752

Download Submit
C:\Users\Admin\AppData\Local\Temp\h3ykukbd.cmdline

Filesize
266B

MD5
ff2abae47f3b70b404588c9093d64c01

SHA1
6882eed77782f8b06959146f5243f8aa8ca8685c

SHA256
2f3b25353251dae8f2ac63ee531aa5c3655137edcfa376699ec3e43c0a82d0dc

SHA512
3f53a99da3171bfbfaf4ad3e00e0a4624745c4667d8d81cbc79db662edaee45d357bc479e1111bfdea57fe2acd8231b5818029f2c346f1524e0d1ccbaf124db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE531.tmp.exe

Filesize
78KB

MD5
77429acf7cb029711e955d200f495da1

SHA1
bf35d6c496b4ad6a29abb06be00648e8e8f25981

SHA256
9e994b7b2606a75fc197491a765df3ebaac3e280c86a05bd2f7d5906d68e6fa8

SHA512
bc7da893e5c1de12bb5bb310fc323e48694484eb2a2ff60c49c3dca315967dfaa6c6f4e68a05b6cb2abf193135ff998afce1c8dd8696e90e3dd3272e4d55e5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE6C6.tmp

Filesize
660B

MD5
4968b117dcdcb1cb25fae1a308c834e4

SHA1
6244c8e3241a0a489cd67948f49f53b88645a848

SHA256
5eabc0ea6c418e936c793f0a27465a36fc9073ae68976195e0efa9cbc44e67a8

SHA512
be4299946ad0cfdfd8c92f3c29d63f6147d807b09efff91ff6700091aa92b23f00a691807210d320417064c49fee2330da78b9d1b84a7bfc2bb88912796048f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1820-0-0x0000000074821000-0x0000000074822000-memory.dmp

Filesize
4KB

Download
memory/1820-1-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-2-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-23-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-8-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-18-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads