ioc[.]one - OSINT Cyber Threat Intelligence Database

IoCs/metamorfo.md at master · jeFF0Falltrades/IoCs

Tags

attack-pattern:

Javascript - T1059.007 Powershell - T1059.001 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	27843925-cf5a-4a6e-936f-de839cb1bd3d
Fingerprint	2640b86d23d5e3b9
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 1, 2022, midnight
Added to db	Sept. 26, 2022, 9:31 a.m.
Last updated	Nov. 17, 2024, 5:57 p.m.
Headline	Metamorfo (aka Casbaneiro)
Title	IoCs/metamorfo.md at master · jeFF0Falltrades/IoCs
Detected Hints/Tags/Attributes	9/1/34

Source URLs

	Redirection	Url
Details	Source	https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md

URL Provider

Details	Provider	Source level domain
Details	github.com	github.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	metamorfo.md
Details	Domain	96	malpedia.caad.fkie.fraunhofer.de
Details	Domain	5	blog.ensilo.com
Details	Domain	1	sfsfsdgfbd456416.zip
Details	Domain	2	buleva.webcindario.com
Details	Domain	13	s3-eu-west-1.amazonaws.com
Details	Domain	2	s3.eu-west-2.amazonaws.com
Details	Domain	2	modpumms2003.zip
Details	Domain	2	s3.eu-west-3.amazonaws.com
Details	Domain	2	modpmabrilzada.zip
Details	Domain	2	mod1803xrd.zip
Details	sha256	1	22c51c43fe8344d36005613209fecb9219b06abfdb12e3019876eca0d1495e23
Details	sha256	1	d663f2c1a5075b43cc2706d58ae98dbb4b1ab168d5c99b43d5cb0b80e18937cf
Details	sha256	1	0113d8a67b61dd6163b003c806d997f1f26da9df316744571aa1295c7ffb9995
Details	sha256	1	1bb9382349266630cfc2f36d2af3c8b06ba4b153867161bf44143f952d33680b
Details	sha256	1	3f9a7292c3b4837477ef5d8181fae11e827753a575f0ee852546fe64c79389ab
Details	sha256	1	42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b
Details	sha256	1	67255c29a1b2fcc1f9067f08fcf575a2d654e4f8d235a5a583ff2605b7728455
Details	sha256	1	77ca06b5bd03556261e7f2359eaaad2c220771618456d9128b1750eef3fa2b8e
Details	sha256	1	8aa574ba92ef3177d786c519d9f2acc86aa7d16afd44819cb23eddd28720776c
Details	sha256	1	d9114962efbc4f34b093bd04e5d41000ebd416fcc8a6d68faeb7455d64d78081
Details	IPv4	1	80.211.252.12
Details	Url	1	https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo
Details	Url	1	https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts
Details	Url	1	https://blog.ensilo.com/metamorfo-avast-abuser
Details	Url	1	http://80.211.252.12/sfsfsdgfbd456416.zip
Details	Url	1	http://buleva.webcindario.com/01
Details	Url	2	https://s3-eu-west-1.amazonaws.com/disenyrt3/image2.png
Details	Url	2	https://s3-eu-west-1.amazonaws.com/sharknadorki/image2.png
Details	Url	2	https://s3-eu-west-1.amazonaws.com/jasonrwk5wg/image2.png
Details	Url	2	https://s3.eu-west-2.amazonaws.com/stocksoftbr/modpumms2003.zip
Details	Url	2	https://s3.eu-west-3.amazonaws.com/abrilgeralll/modpmabrilzada.zip
Details	Url	2	https://s3.eu-west-2.amazonaws.com/stocksoftbr/mod1803xrd.zip
Details	Yara rule	1	rule metamorfo_msi { meta: author = "jeFF0Falltrades" ref = "https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/" description = "This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads" strings: $str_1 = "replace( \" pussy \" , idpp)" ascii wide nocase $str_2 = "GAIPV+idpp+ \"\\\\\" +idpp" ascii wide nocase $str_3 = "StrReverse( \" TEG \" )" ascii wide nocase $str_4 = "taller 12.2.1" ascii wide nocase $str_5 = "$bExisteArquivoLog" ascii wide nocase $str_6 = "function unzip(zipfile, unzipdir)" ascii wide nocase $str_7 = "DonaLoad(ArquivoDown" ascii wide nocase $str_8 = "putt_start" ascii wide nocase $str_9 = "FilesInZip= zipzipp" ascii wide nocase $str_10 = "@ u s e r p r o f i l e @ \" +ppasta" ascii wide nocase $str_11 = "getFolder(unzipdir).Path" ascii wide nocase condition: 2 of them }