{
	"id": "da48115d-8ee5-491a-9bbd-49dfeb1469b4",
	"created_at": "2026-04-06T00:14:08.694286Z",
	"updated_at": "2026-04-10T03:20:31.259426Z",
	"deleted_at": null,
	"sha1_hash": "dcba37ad70669b5dac61e79a7629f2352c80bb16",
	"title": "IoCs/Broadbased/metamorfo.md at master · jeFF0Falltrades/IoCs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44942,
	"plain_text": "IoCs/Broadbased/metamorfo.md at master · jeFF0Falltrades/IoCs\r\nBy jeFF0Falltrades\r\nArchived: 2026-04-05 14:52:48 UTC\r\nMetamorfo (aka Casbaneiro)\r\nReporting\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/\r\nhttps://blog.ensilo.com/metamorfo-avast-abuser\r\nYARA\r\nrule metamorfo_msi {\r\n meta:\r\n author = \"jeFF0Falltrades\"\r\n ref = \"https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actio\r\n description = \"This is a simple, albeit effective rule to detect most Metamorfo initial MSI paylo\r\n strings:\r\n $str_1 = \"replace(\\\"pussy\\\", idpp)\" wide ascii nocase\r\n $str_2 = \"GAIPV+idpp+\\\"\\\\\\\\\\\"+idpp\" wide ascii nocase\r\n $str_3 = \"StrReverse(\\\"TEG\\\")\" wide ascii nocase\r\n $str_4 = \"taller 12.2.1\" wide ascii nocase\r\n $str_5 = \"$bExisteArquivoLog\" wide ascii nocase\r\n $str_6 = \"function unzip(zipfile, unzipdir)\" wide ascii nocase\r\n $str_7 = \"DonaLoad(ArquivoDown\" wide ascii nocase\r\n $str_8 = \"putt_start\" wide ascii nocase\r\n $str_9 = \"FilesInZip= zipzipp\" wide ascii nocase\r\n $str_10 = \"@ u s e r p r o f i l e @\\\"+ppasta\" wide ascii nocase\r\n $str_11 = \"getFolder(unzipdir).Path\" wide ascii nocase\r\n condition:\r\n 2 of them\r\n}\r\nSample Hashes\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md\r\nPage 1 of 2\n\n22c51c43fe8344d36005613209fecb9219b06abfdb12e3019876eca0d1495e23\r\nd663f2c1a5075b43cc2706d58ae98dbb4b1ab168d5c99b43d5cb0b80e18937cf\r\n0113d8a67b61dd6163b003c806d997f1f26da9df316744571aa1295c7ffb9995\r\n1bb9382349266630cfc2f36d2af3c8b06ba4b153867161bf44143f952d33680b\r\n3f9a7292c3b4837477ef5d8181fae11e827753a575f0ee852546fe64c79389ab\r\n42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b\r\n67255c29a1b2fcc1f9067f08fcf575a2d654e4f8d235a5a583ff2605b7728455\r\n77ca06b5bd03556261e7f2359eaaad2c220771618456d9128b1750eef3fa2b8e\r\n8aa574ba92ef3177d786c519d9f2acc86aa7d16afd44819cb23eddd28720776c\r\nd9114962efbc4f34b093bd04e5d41000ebd416fcc8a6d68faeb7455d64d78081\r\nSample C2\r\nhttp[:]//80[.]211[.]252[.]12/sfsfsdgfbd456416[.]zip\r\nhttp[:]//buleva[.]webcindario[.]com/01/\r\nhttps[:]//s3-eu-west-1[.]amazonaws[.]com/disenyrt3/image2[.]png\r\nhttps[:]//s3-eu-west-1[.]amazonaws[.]com/sharknadorki/image2[.]png\r\nhttps[:]//s3-eu-west-1[.]amazonaws[.]com/jasonrwk5wg/image2[.]png\r\nhttps[:]//s3[.]eu-west-2[.]amazonaws[.]com/stocksoftbr/ModPumMs2003[.]zip\r\nhttps[:]//s3[.]eu-west-3[.]amazonaws[.]com/abrilgeralll/ModPmAbrilzada[.]zip\r\nhttps[:]//s3[.]eu-west-2[.]amazonaws[.]com/stocksoftbr/Mod1803xrd[.]zip\r\nSource: https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md"
	],
	"report_names": [
		"metamorfo.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434448,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dcba37ad70669b5dac61e79a7629f2352c80bb16.pdf",
		"text": "https://archive.orkl.eu/dcba37ad70669b5dac61e79a7629f2352c80bb16.txt",
		"img": "https://archive.orkl.eu/dcba37ad70669b5dac61e79a7629f2352c80bb16.jpg"
	}
}