metamorpherrat | 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586

General

Target

6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
Size

78KB
MD5

2d1040cbb7d90db8d32d9e9d98cfe41c
SHA1

b20f3369032316407495a6e6a032033549417a48
SHA256

6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586
SHA512

29326b444beef438e5923e5c4750e14f71112a43340d340c74bec258e29ce598e4dc20cf93c5a2b893bad940b645e8221df7f9557267013c9e383ac9a68caa90
SSDEEP

1536:VVe55AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6TS9/D14qU:3e55AtWDDILJLovbicqOq3o+nh9/5U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2832	tmpA43B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpA43B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA43B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
Token: SeDebugPrivilege	2832	tmpA43B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1948	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe	30
PID 1980 wrote to memory of 1948	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe	30
PID 1980 wrote to memory of 1948	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe	30
PID 1980 wrote to memory of 1948	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe	30
PID 1948 wrote to memory of 2140	1948	vbc.exe	32
PID 1948 wrote to memory of 2140	1948	vbc.exe	32
PID 1948 wrote to memory of 2140	1948	vbc.exe	32
PID 1948 wrote to memory of 2140	1948	vbc.exe	32
PID 1980 wrote to memory of 2832	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe	33
PID 1980 wrote to memory of 2832	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe	33
PID 1980 wrote to memory of 2832	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe	33
PID 1980 wrote to memory of 2832	1980	6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe	33

C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
"C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzmhfsxt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA545.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA544.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA545.tmp

Filesize
1KB

MD5
679c42e2a5f3e95564849a73f0685f99

SHA1
f715663aa659d139fe7621d082472d25a1fa2ffc

SHA256
759db95068bb63f94dd1083d709776339c616b5fb770f63e7ab3b762e932abfb

SHA512
2753b3beb06586851ea4e50c3d1348480ab3a820daacbd947757da8f1289d9497dafd5f8fd91824a4a20ed5e5e33a8953bdb5a6fa7131281411b80eb211f261a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA43B.tmp.exe

Filesize
78KB

MD5
535d9989533b0a2409d5d4fbd68d6359

SHA1
82f95f1ded2513896bfa0519561f470ca6a51e5e

SHA256
dffde40cbbebfbc3baf8a130b44cfffa25b358098e4d4bbe3a81d53469b90813

SHA512
9819df99758b4df90667f6d322eeaff46c228dd7c0f37150c452b27be2c88ada49f45a1ad560a90b8821f59614090b68a5d952c5874971d2719f16bad826ff61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA544.tmp

Filesize
660B

MD5
bea5262bdb89ce5558dd9de7879ad900

SHA1
d90b8e48936d0dc9d6f5fa3aa75fc441434d93b4

SHA256
883e3f20912adf5d050ceebf4b9ff2a6afee5b45aac708677e32e0ca59585ec2

SHA512
3d215bf31ce07cf10bc1deaae7e04204e322fe352a795d8542b4c87578591e6d2a33e050de459021c6dfbcf929a321c7093fcc5d98dfa054b7353515f55de21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzmhfsxt.0.vb

Filesize
14KB

MD5
b202d98ec6728d4efae3268b06229276

SHA1
f76f265440ae37c60f96e469c0360506acd0e0c6

SHA256
13120c9ba85c8ba5a65c382c53e5189005aee26349d4da0de49039c62b60d5e6

SHA512
b650b5cb044e60e5fb6cd17a174cc38358dc437a8e6eb6cefcae785b9ca446239fc28158c5bfa8aece42d1bdf9a5597c7cf394727017073d752e8f5ce92514c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzmhfsxt.cmdline

Filesize
266B

MD5
91e5b7c465d9d6d522cc40b62ac4aa07

SHA1
3a3c6feac97e181c49d994638bb671013e3c3889

SHA256
d838edd83f0c3855f03080a775f26a51006683e1fccc46fc4005877fc404d092

SHA512
080ab951654312bc7c1c397260d0a4fb0660dbb7a8afed001bb75d048118461fe37e45340de217e57ed540b725a0105103013b5eba5c2ec9bb6b9a9841e55003

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1948-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

Filesize
4KB

Download
memory/1980-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-2-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-24-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads