metamorpherrat | c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11

General

Target

c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe
Size

78KB
MD5

39e605d590615ffda6969f7d96a7d240
SHA1

44cb3125e7dd2e3c9257d2181025ba628bc6ec7b
SHA256

c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11
SHA512

329d7c5b0d9c6b47a3ba03772827ffa1871c7b68f0d71ccb3d66a1f044eda58ec31342b8ecd4b9e9380b07f0d6b8da19efca3f67aecd106e1d579e4c35d49409
SSDEEP

1536:SVPy5jnAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6e9/w0160:IPy5jnAtWDDILJLovbicqOq3o+nt9/wW

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2404	tmpB403.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe
2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpB403.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB403.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe
Token: SeDebugPrivilege	2404	tmpB403.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1988	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe	30
PID 2092 wrote to memory of 1988	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe	30
PID 2092 wrote to memory of 1988	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe	30
PID 2092 wrote to memory of 1988	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe	30
PID 1988 wrote to memory of 2584	1988	vbc.exe	32
PID 1988 wrote to memory of 2584	1988	vbc.exe	32
PID 1988 wrote to memory of 2584	1988	vbc.exe	32
PID 1988 wrote to memory of 2584	1988	vbc.exe	32
PID 2092 wrote to memory of 2404	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe	33
PID 2092 wrote to memory of 2404	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe	33
PID 2092 wrote to memory of 2404	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe	33
PID 2092 wrote to memory of 2404	2092	c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe	33

C:\Users\Admin\AppData\Local\Temp\c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe
"C:\Users\Admin\AppData\Local\Temp\c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gghiufu1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB56B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB56A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\tmpB403.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB403.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c7b8522a03d1e130cd927e51ddd7e11a77cb7bd2ba370ca9a23f644a2ff98e11N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB56B.tmp

Filesize
1KB

MD5
07783feeaac7ee7240586f7206354099

SHA1
cbc03b3a4add6a14ab2f81135bb4568bd8f346d9

SHA256
31c774cb071a3e696d5a91595f240587e8470f49f5d12e66a8c1ba245aa4d2c2

SHA512
6ab46081515de7b08cf8fe9185d3f03d704c9b616e495940da050e79eecb2acca829707452d6235247b7ac350b966300be3287f07853dd1e000293bae75cce4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gghiufu1.0.vb

Filesize
14KB

MD5
35b235fcecaba16ee214a44106dce3bc

SHA1
2068b8306ff162f5cb9936ada15e80e4bc4cc139

SHA256
5898202fcd4c6383ae524c1e39e47509968177bd70182b9700971444778d0871

SHA512
cdd52d9139ad9b21b60f77624f278e5dfc73a27d7a305cd599dbcb9a7d89a070b583f892ff4ec5d89fe7d0e8b61971f595707178e81194f16acdd904d7a49c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gghiufu1.cmdline

Filesize
266B

MD5
4752bfd4481e743947fb250f5f4f6c3d

SHA1
66a252e2094c4053d5582d04dca88f08ebd70c5b

SHA256
3b72e44ad7745849735cfeb60881379ee21e85924e251680bdaa0f73d776ea9d

SHA512
4d908961f9b2d5b833ca26eb759178aa03b4838c6799d0b60f75d4df919339e2baa241e5c355520b3505b493cbbdc98d672ca7c14e284ee1ca98f72862eaddd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB403.tmp.exe

Filesize
78KB

MD5
ea9283d107cfa19d2625666b26bf1fae

SHA1
6ea579246cf1ef2251ec1d89d493d2269bb56ae0

SHA256
1aa635a1f0461ad07f6233d268a0546e8166f74a6f06554aad1eab03efc923f4

SHA512
198f81495cf76c8eada5b3ceb53c320677398eaf1d643fa9aa7b4a08d4963550b4e8221e38ddaf90488ed6b43d52dda9d19b32118065deeddd1c35c058428817

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB56A.tmp

Filesize
660B

MD5
a49766b2ab77dcdc635c6f9d1e9897b5

SHA1
df45623c45e5c9da717f311545fdd320d6aecdd5

SHA256
996fdc6a9f26651e187cfd71da42133f7cb68df7a96f332ed5eca5d09cfc6158

SHA512
4857387a76cf2ee1598272a9907a2e6f5cd38687267ac3f15df11b96e07b6952f46947a454bd1f5644a595e2f02fd489f53034d92359826e74a2b94b810285f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1988-8-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-18-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-0-0x0000000074371000-0x0000000074372000-memory.dmp

Filesize
4KB

Download
memory/2092-1-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-2-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2092-24-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads