metamorpherrat | 4420efe6dfa06cea1cbbe07173c339a63678471b78c9c9cd19d287145b290ce5

General

Target

21fb0442bca8f39d0b2e984ef35f0670N.exe
Size

78KB
MD5

21fb0442bca8f39d0b2e984ef35f0670
SHA1

f0184996805cf12f2b004fe2215fde76f66b0654
SHA256

4420efe6dfa06cea1cbbe07173c339a63678471b78c9c9cd19d287145b290ce5
SHA512

ec4724ff11219fd858adec65c0784d8ce3e51b07d2b1e9003d53937ee087e47a7aeeafee1ea8f129485ce5f19bd69ee372a011fb4904ad45cfd79430316288b9
SSDEEP

1536:acRWtHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtL79P:5RWtHFoI3ZAtWDDILJLovbicqOq3o+nR

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2796	tmpEA6E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	21fb0442bca8f39d0b2e984ef35f0670N.exe
2960	21fb0442bca8f39d0b2e984ef35f0670N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpEA6E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA6E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21fb0442bca8f39d0b2e984ef35f0670N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe
Token: SeDebugPrivilege	2796	tmpEA6E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2156	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe	30
PID 2960 wrote to memory of 2156	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe	30
PID 2960 wrote to memory of 2156	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe	30
PID 2960 wrote to memory of 2156	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe	30
PID 2156 wrote to memory of 2872	2156	vbc.exe	32
PID 2156 wrote to memory of 2872	2156	vbc.exe	32
PID 2156 wrote to memory of 2872	2156	vbc.exe	32
PID 2156 wrote to memory of 2872	2156	vbc.exe	32
PID 2960 wrote to memory of 2796	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe	33
PID 2960 wrote to memory of 2796	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe	33
PID 2960 wrote to memory of 2796	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe	33
PID 2960 wrote to memory of 2796	2960	21fb0442bca8f39d0b2e984ef35f0670N.exe	33

C:\Users\Admin\AppData\Local\Temp\21fb0442bca8f39d0b2e984ef35f0670N.exe
"C:\Users\Admin\AppData\Local\Temp\21fb0442bca8f39d0b2e984ef35f0670N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sm_xjpss.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDC8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- C:\Users\Admin\AppData\Local\Temp\tmpEA6E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEA6E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\21fb0442bca8f39d0b2e984ef35f0670N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEDC9.tmp

Filesize
1KB

MD5
7d3191c66fcd3bd61f2fc914a1ef331a

SHA1
74cad4b3cd2bc14c6294e4236664f94abe697e7d

SHA256
026b2b2139818027dc4d916f05b8fef1a3cab3c14b08657f2ed4c51239762f1d

SHA512
420173002cef4076266362afe932c5f6bc0c134a9d0c87e05bcb02871fb0d457e9886e346d5289a522ba79a3c3dd9083cc148bb4fa175459dd4fa86fba535fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\sm_xjpss.0.vb

Filesize
15KB

MD5
f01f916402ab70cba252334597d9d087

SHA1
a9c7c5f66a02f5af083c91ff582919b71ed312e1

SHA256
dfced87b073db30bed6260e55f3952656406eac1a82d45a3d206c562cdcb692a

SHA512
df8aa44ebee9ba8249ec164e08a2e0597fb9e83d065aed7e926a2e8b323e3048a8e2a3f3fe5c460df6dac8e727606cc4acd6975d0468e3227aa847c7086a287e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sm_xjpss.cmdline

Filesize
266B

MD5
4f81efdb9b13b4ebfc646dd962a9b700

SHA1
3c013362a7d766537f4ee1fe41f563094faeb2fd

SHA256
272452d16e0d018b5d8504c09e61527a56553e93d03cb027855c89f46ab2dc1c

SHA512
22157699ee071ad34a50524bad9503e99149e200e5315ad7251e0b0a208d4088a3fa20a2d1472914cfe1a9a7d49de7654245b745710f0dd2f598fa2d4e0360fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA6E.tmp.exe

Filesize
78KB

MD5
43248f4745b254a0e2ce5f52b1697fc8

SHA1
135dae067d140da97f28eed1e436d1dbb33fbe9e

SHA256
28cf13147edec1c66e13571838297729e213960d5fdb4765d2961fbe2535e7ea

SHA512
a64461f310b42b658051d07c825bca81011c8efecf53dcb4c0b58216abd69988e79b2d60844d9162e44f466d51ec6bdb10f55055f39856a452f2ef061d4a4588

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEDC8.tmp

Filesize
660B

MD5
05b231d926109132a0eb37629ae67824

SHA1
46962d14564b870a98e4add004aa612ee59da942

SHA256
f5b14e26a546d72c718e0852f8b8fd2d8620939317f4a179e583c776d2f841b0

SHA512
df9e59959723add652406b965e0b7a4520558021859aeb9ed51932cd596e32c10293e590da26e20ba9992070f18c4535509b41f7713e3ec1fb0a16fe21207775

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2156-8-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2156-18-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2960-0-0x0000000074991000-0x0000000074992000-memory.dmp

Filesize
4KB

Download
memory/2960-1-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2960-2-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2960-24-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads