BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Metamorfo

70
Global rank
60 infographic chevron month
Month rank
47 infographic chevron week
Week rank
273
IOCs

Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil.

Trojan
Type
Unknown
Origin
1 April, 2018
First seen
14 June, 2024
Last seen
Also known as
Casbaneiro

How to analyze Metamorfo with ANY.RUN

Type
Unknown
Origin
1 April, 2018
First seen
14 June, 2024
Last seen

IOCs

IP addresses
20.206.126.228
54.39.10.87
158.69.110.217
185.45.195.226
185.185.87.45
149.100.158.179
89.116.236.122
212.46.38.43
51.38.235.152
172.105.111.154
192.46.216.151
139.177.193.74
154.223.16.114
80.211.249.77
38.54.20.37
89.117.37.61
216.238.70.224
20.92.164.32
18.184.132.208
52.138.9.49
Hashes
2728e713ef60160ac8427b9dd550ba00885d2125fd03f1990618d9af7e8f1949
efb6169bbb869a849afb91184a75b906fe509cbf6e672b6b4f3311c02343bbbb
681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
2d40da8ee687152fcb99a36442390885767b667005dba437a79e6d12c91cd7a9
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
74893879a20fa8dcd8bb86da5dfaa71509a392ab3bf5033b057de4a3485d5551
e53cab787bbe6719e2709b6c84eed0cbfa8468a2e239066880e4a4d444e5e770
a55c83aa202f4ee218ac7aed24ce286481e8f570ad0b29004427122854db4166
e8982066cc5b75706641a0ec20af285179528aad5368bdedea9965185b9ed0da
27da7ddbbbca0bb2cba219e5b80461be2fb9cadd83885669dc3b54dca83236eb
0d8d44a2814be4f0f6a41a3173a081a62126acdd89d29d052d8bf38412003b62
158a3585ba853c9f3d916ea642a49cb26845c695ac5abeea22b4be024f739e4b
afc82cce49b6bee26340b55d5a9e8a9b08406878f7cfafe69d6c7fd04dc132d1
633d363baa5dd8b6353676843204ab91f899ab55b6e159cad39d24a459ff527b
e1d0e92606aac8ff32c501ba9a8b163a304cd7c16beadc5d91fd0c8ad12e5055
7dea5bf6d076910283dedd70066060783e72dcbba11f998bec05b789b1a13ea2
8d45601a7eacf6cdad87da5a19c1866da9400e612e991c0f2452b6e70ae6bac2
27179afc2063417644c746faa4fa748ec53fad537345ab7dfe81455251190daa
6b6a1479f3d6fab4298374491a51e975148956dd44fb8a3f92c816fc65286c20
6d8b837792808b171bff85dfc9de4c378eb140b5e72ecf86bb4f045f78ad7970
Domains
mgjw.zapto.org
contmx1.website
fd8nvvlufung.website
nhoquemassa.com
agosto2019.servepics.com
4d9p5678.myvnc.com
mercadoenvios1.loseyourip.com
sva.gotdns.ch
3n1ujw621vaxpro.online
down425.xyz
hostmeusite.ddns.net
chooseanother.com
tyjghhasdempresasfactura.com
obarrielsoluctionssx.com
baza.alta-bars.ru
x50zbqev4po5.online
down5861.serveblog.net
albumdepremios.com.br
fnfactura.cfd
contxm3.ddnsking.com
URLs
http://86.38.217.167/09/index.php
http://86.38.217.167/relat/index.php
http://86.38.217.167/ps1/index.php
http://3.145.213.63/contador/serv.php
http://86.38.217.167/ps/index.php
http://86.38.217.167/13/index.php
http://86.38.217.167/ld/index.php
http://86.38.217.167/vth/vth
http://adbd.tech/26/index.php
http://86.38.217.167/07/index.php
http://86.38.217.167/21/index.php
http://ad2.gotdns.ch/22/22
http://38.54.20.37/29/index.php
http://38.54.20.37/nv/index.php
http://38.54.20.37/17/17
http://a.3utilities.com/17/
http://38.54.20.37/04/04
http://avs.myftp.biz/04/
http://38.54.20.37/19/index.php
http://38.54.20.37/29/29
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 171
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 190
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 341
comments 0

What is Metamorfo malware?

Metamorfo, also known as Casbaneiro, is a trojan malware family used for exfiltrating financial information. The operators behind the malicious software spread it primarily via phishing campaigns. While initially, users living in Brazil were the core victims of the malware, the attackers later expanded the list of targeted countries.

Keylogging serves as the main method of collecting information from the infected devices. To facilitate the process, Metamorfo can display fake bank forms requesting users’ credentials. At the same time, the malware can also be employed to steal other sensitive data, as well as take screenshots.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Metamorfo malicious software

One of the ways Metamorfo manages to collect users’ login banking info is by first killing all the browser processes and then modifying the registry to disable auto-complete and auto-suggest. This is done to force the user to enter their login and other form details manually, allowing Metamorfo’s keylogging capability to record the keys they press.

Metamorfo also can scan the clipboard and replace any saved crypto wallet address with that of the attacker. As a result, victims may unknowingly send their funds to criminals.

On top of that, the malware can search for certain files on the infected device using specific keywords and exfiltrate them to the attacker. Metamorfo can also download additional files from its C2, meaning that it can update itself and install other malicious software.

Many attacks involving the malware have been observed to implement DLL hijacking. This technique enables Metamorfo to run its code with the help of legitimate processes, which allows it to stay undetected by traditional security solutions.

The malware can also display fake security pop-ups of popular Brazilian banks, informing the users that their account has been compromised. The next window then requests the victim to share their login credentials.

Metamorfo gains persistence on the system by creating a task that launches the malware at every new startup.

Execution process of Metamorfo

Let’s upload a sample of Metamorfo to the ANY.RUN sandbox to explore its execution chain.

This particular Trojan family often employs a deceptive strategy of embedding itself into installers that unsuspecting users download in the hopes of installing legitimate software. Our analyzed sample, also in MSI format, deviates from this common modus operandi by employing more sophisticated installation techniques. Instead of relying on fake installer windows to blend in, it utilizes a combination of a hidden window and the header "Installation Database" to conceal its installation process.

Upon execution, the downloaded sample establishes a connection to a remote server to retrieve the primary payload, Metamorfo. Once Metamorfo is downloaded, it is launched, initiating a series of malicious activities. These activities include creating a file in the startup directory to ensure its persistent operation and, to evade detection, subsequently removing this file from the startup registry.

Once established, the dropped file, SlimBoat, takes center stage, orchestrating a coordinated attack on the compromised system. It loads additional modules, establishes a connection to the remote server, and embarks on the primary objective of exfiltrating sensitive information.

Metamorfo process tree shown in ANY.RUN Metamorfo's process tree demonstrated in ANY.RUN

Distribution methods of the Metamorfo malware

Similar to other trojan malware families like Agent Tesla and Remcos, Metamorfo is distributed using phishing emails with malicious attachments in the form of archives with an .MSI file inside and PDFs. In some attacks, criminals also send links. The subject of the email usually concerns finance, asking the recipient to conduct an invoice payment.

Conclusion

Despite being active since 2018, Metamorfo continues to pose a major threat to users in Brazil and other countries, including the United States. Organizations without reliable security measures in place are particularly vulnerable to such attacks. As Metamorfo typically spreads through emails, checking all the incoming files and links should be top priority for organizations that do not wish to fall victim to the malware.

ANY.RUN is a cloud-based malware analysis sandbox that lets you quickly analyze any suspicious file and URL to determine whether it is malicious. The service also generates reports on the threats identified, containing all the necessary intelligence, including indicators of compromise (IOCs).

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy