metamorpherrat | ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb

General

Target

ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe
Size

78KB
MD5

328306196dd90bc9b14efc97edd0c7dc
SHA1

e58c6749924cc692ce2fb15101c46a483d6eab1d
SHA256

ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb
SHA512

48259b0203302148e5b9919403cf24e9a9e64fc6b68574b7ca788d2cba3fbbdd67a367fb81d8f189e6d452020293d986f2d4b73460e2c8d7b77c0d26f390f595
SSDEEP

1536:PPCHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt99/c1vKY:PPCHYnhASyRxvhTzXPvCbW2U99/7Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe

Deletes itself 1 IoCs

pid	Process
208	tmp9F1E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
208	tmp9F1E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9F1E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F1E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe
Token: SeDebugPrivilege	208	tmp9F1E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4432	3756	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe	83
PID 3756 wrote to memory of 4432	3756	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe	83
PID 3756 wrote to memory of 4432	3756	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe	83
PID 4432 wrote to memory of 5112	4432	vbc.exe	85
PID 4432 wrote to memory of 5112	4432	vbc.exe	85
PID 4432 wrote to memory of 5112	4432	vbc.exe	85
PID 3756 wrote to memory of 208	3756	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe	86
PID 3756 wrote to memory of 208	3756	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe	86
PID 3756 wrote to memory of 208	3756	ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe	86

C:\Users\Admin\AppData\Local\Temp\ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe
"C:\Users\Admin\AppData\Local\Temp\ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dji3l9fm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA057.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1A7F59E5D945FD935328DBFA31BD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
- C:\Users\Admin\AppData\Local\Temp\tmp9F1E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9F1E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ca642ba1abf5f58a629ddcb794e2a65d43bf4c1dbcfde57466c6ae908a820fdb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA057.tmp

Filesize
1KB

MD5
428dc530cd3370882ec2057932e3c2fe

SHA1
55e23d962e7b5f0bee216a2e19cc804f316fdc24

SHA256
91b2b9fa6f279ff351fbecb84d5747b504a2a5ee0523f3a5c2b650481f552bc2

SHA512
11dba4d702699c2dfad0d00a3ce7b885c5933b7c0958994c94c067ccf030e1c1a74fd4cf9fdd5521eeabbc47d12feb54aea4b40723d23cac9352a0c41f7e359b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dji3l9fm.0.vb

Filesize
15KB

MD5
d853daaec581cd595ecef2b8155a5d0c

SHA1
f59dff41ddbb04be74fe8c84d0a24f4267dfa51c

SHA256
f9ef6ccf6e5ed07bff84e6b9fea3d905ec159616969ad45fb309f2ec149bfb2a

SHA512
5e07514126740f57563178c617af1d15467d1f0f98d54153355bb41bfed42d1401e4b72018e83cb8564fdb6266a0ce153b9ebf183a3c3e337fdc73646b1c4a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\dji3l9fm.cmdline

Filesize
266B

MD5
c40748b5024738bb3ecc0ff0d472eb92

SHA1
5ab07baef8d8cffd868136e473926508fdb6c2fe

SHA256
0c638cfa355269f84f949a4666c43b6fe17000fb3f528e5fd859a4897fc5e391

SHA512
31058b464d942a99025fe2a2fc20172fbe152678cbd7ef035051f57883c7b323efe7ca07e7494b95cbfeedebce1deb4eb5287401385ce987c40dc6f250f8eddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F1E.tmp.exe

Filesize
78KB

MD5
a0fc1535e88f581d542d503da40bf2ee

SHA1
885f539f98ccb40a2e67aca36299ae3233ad1d58

SHA256
b1433c216058368324b2c81f76af54606860a3cb1823e39b663a78d3778abd97

SHA512
c4de353c743ac23b741b52568e2654a086c6510add48c1be8354a0e523972ab62a715e0b827e12a2f8897a00bddd5864518c027161410d9c93950558c3cbcff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA1A7F59E5D945FD935328DBFA31BD.TMP

Filesize
660B

MD5
9f6d38711267701fc252d909c3a1b385

SHA1
851e8f70375caff8a2a9ce0b7c975e1de9166f3c

SHA256
4c660ea33ae1b43cfb77a19af35f02dea01619bb02d054e69e4a91ede0b2325b

SHA512
916358992b518ac8e1750a8a3a19c1aa2b96500d13df4122ff3e3f1ce03b1b119b729d6d510e3c67af3e4402e8022ad7fbf2f1c5fd3c7beb20acdca8da0ee3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/208-24-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/208-28-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/208-27-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/208-26-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/208-23-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/3756-22-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/3756-1-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/3756-2-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/3756-0-0x00000000746C2000-0x00000000746C3000-memory.dmp

Filesize
4KB

Download
memory/4432-9-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4432-18-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads