metamorpherrat | 4bb90579b4fe648b077f1dd34b10b0539a1503d5c4bf9d89edab047cd76d4738

General

Target

8625b0f28c93e2023c15826e8edf8a00N.exe
Size

78KB
MD5

8625b0f28c93e2023c15826e8edf8a00
SHA1

ac0968ef5eddc3ef0ad22d0b962ca29d48ad34b6
SHA256

4bb90579b4fe648b077f1dd34b10b0539a1503d5c4bf9d89edab047cd76d4738
SHA512

da052466d4b4e88d8f739ae92eb45ce90a96b4b2842c5861eed10d196aed05280f9493e40581c5a4f4d8e49b44548c2628b525d355062bdae1833025fdee17c1
SSDEEP

1536:ZBWV5jSAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6l9/cG1im:TWV5jSAtWDDILJLovbicqOq3o+nN9/B

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2936	tmpF354.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	8625b0f28c93e2023c15826e8edf8a00N.exe
2700	8625b0f28c93e2023c15826e8edf8a00N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpF354.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8625b0f28c93e2023c15826e8edf8a00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF354.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	8625b0f28c93e2023c15826e8edf8a00N.exe
Token: SeDebugPrivilege	2936	tmpF354.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2728	2700	8625b0f28c93e2023c15826e8edf8a00N.exe	31
PID 2700 wrote to memory of 2728	2700	8625b0f28c93e2023c15826e8edf8a00N.exe	31
PID 2700 wrote to memory of 2728	2700	8625b0f28c93e2023c15826e8edf8a00N.exe	31
PID 2700 wrote to memory of 2728	2700	8625b0f28c93e2023c15826e8edf8a00N.exe	31
PID 2728 wrote to memory of 648	2728	vbc.exe	33
PID 2728 wrote to memory of 648	2728	vbc.exe	33
PID 2728 wrote to memory of 648	2728	vbc.exe	33
PID 2728 wrote to memory of 648	2728	vbc.exe	33
PID 2700 wrote to memory of 2936	2700	8625b0f28c93e2023c15826e8edf8a00N.exe	34
PID 2700 wrote to memory of 2936	2700	8625b0f28c93e2023c15826e8edf8a00N.exe	34
PID 2700 wrote to memory of 2936	2700	8625b0f28c93e2023c15826e8edf8a00N.exe	34
PID 2700 wrote to memory of 2936	2700	8625b0f28c93e2023c15826e8edf8a00N.exe	34

C:\Users\Admin\AppData\Local\Temp\8625b0f28c93e2023c15826e8edf8a00N.exe
"C:\Users\Admin\AppData\Local\Temp\8625b0f28c93e2023c15826e8edf8a00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nthjwiao.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF44F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF44E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:648
- C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8625b0f28c93e2023c15826e8edf8a00N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF44F.tmp

Filesize
1KB

MD5
00703d297bcc710afe3cc0ffd0bdaece

SHA1
f976b22a6785b8b56e80aa362a880e7956430071

SHA256
66ccafcda9bcf1d5cb2b9a30d2bc1c562f00da3c058a1ab5c3b85b55e2816916

SHA512
0cdb96af981a2451552fb23316395512f4e927a78f7f708e7746d2301b8b429346be4f94bffd7148179db2133ba4bb609e5f6d50594b05c25da866978d26738c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nthjwiao.0.vb

Filesize
14KB

MD5
5742fb58e405e5d23d8191ba71175a08

SHA1
0677741ccc78050f01243f82e3e71ae2d5af44db

SHA256
3648fd378bc146bf224733bafc21522cee97ed73e9e3bd30deb66385093c40ad

SHA512
d9c7c70a20a778c8367df59185f30a1b259f17d0e20e2ecc0491a18840a6570f1c453c660e8222aa12cc57fbd17a5149eba3a1c8140a40464ce8525d73fb060f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nthjwiao.cmdline

Filesize
266B

MD5
eb0f765c79177eeb82816bfe4f69ec77

SHA1
904c543ae0cf163d1433f8c1c274b4aa410000b1

SHA256
48096dbc1b0d2362d8e5b0e70aa427cee1f54223c8c5a7e47146620aceafa6b7

SHA512
8b14f32293da7c860021de75b1c031a31d87b81598490ef88ebf145d243f4d0eca43f01469cbfdbb8272d9f8bc1e9c74dd8ef5a6cef56c12163ef0a10667eec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe

Filesize
78KB

MD5
9fc525f0c6c29d35f8e5e3be789073bc

SHA1
26053cc51aba6c92c4dd58fe5b9429cf9fd6d209

SHA256
d77ddd6a73d85a16eac1aab00e8bc486b2a728533c7024b49c77dea5b44d6d3a

SHA512
024e97198043f9a271a633db9ef66afa3ccaaa2b584f8a40e86c2d1b0c98473e3c4ff51599d485319df0d329806ce174ab24e9a11e1a74712bd341e3f1dcdb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF44E.tmp

Filesize
660B

MD5
46770450e69acdf93d03fd399050b49d

SHA1
16d92ebe03e1e1ca53f9ff0389547f5473a811b0

SHA256
b44e292aa93f4b9c554a961a10e21588b9742883727ce9ad61342ffae173434d

SHA512
b2fd1c2c874ff50e07b59b3fa75c1170b0dfb0858014712ab2a75ee5714bcf011a31a04dc4a8dbbe7ed21d8c49cbec4b95c452f6add771e985e07a9975574f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2700-0-0x0000000074B01000-0x0000000074B02000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-2-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-24-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-8-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-18-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads