metamorpherrat | e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4

General

Target

e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
Size

78KB
MD5

44670034b7ac83d6a9ca82b2994df75b
SHA1

cf65e71b667435c8b4294c82db41c7244981a46b
SHA256

e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4
SHA512

f4373697dd2e133d08e8963138929d4b8496286d1d2b342eaba741614a6e146d5da4923d23787b0139387660d5848c70b6c5496a4d23d9302acd20700edaca8b
SSDEEP

1536:3PWV5jPLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti67M9/X1SK:3PWV5jTE2EwR4uY41HyvYDM9/X

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
1376	tmpE0BE.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpE0BE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE0BE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
Token: SeDebugPrivilege	1376	tmpE0BE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1668	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	30
PID 860 wrote to memory of 1668	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	30
PID 860 wrote to memory of 1668	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	30
PID 860 wrote to memory of 1668	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	30
PID 1668 wrote to memory of 2932	1668	vbc.exe	33
PID 1668 wrote to memory of 2932	1668	vbc.exe	33
PID 1668 wrote to memory of 2932	1668	vbc.exe	33
PID 1668 wrote to memory of 2932	1668	vbc.exe	33
PID 860 wrote to memory of 1376	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	34
PID 860 wrote to memory of 1376	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	34
PID 860 wrote to memory of 1376	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	34
PID 860 wrote to memory of 1376	860	e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe	34

C:\Users\Admin\AppData\Local\Temp\e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
"C:\Users\Admin\AppData\Local\Temp\e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\serkxcnu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2D0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- C:\Users\Admin\AppData\Local\Temp\tmpE0BE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE0BE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e21a4fc43273aaef04bf0864cbd934debdb6c2b2216fa85df90af9609e8b40e4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE2D1.tmp

Filesize
1KB

MD5
1c1bd3496aac9513c8c164c73396f37b

SHA1
e549c45c8ea50f5be77b10740be7a6a49259c697

SHA256
b0611dfc84b0afc148f44adc5179fd2ead2bde7ded2c75febb2f387af4adab1e

SHA512
1661b23dfd9fef80d29de4ef654968af42919d42b13d21f7e5894a72faa8f0013bcabff9d7e79f0ca6b6ca59bfe7229343d178683f9115232baf78c75f2f10a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\serkxcnu.0.vb

Filesize
14KB

MD5
93097919d2321a134e3af8971a75ceb1

SHA1
e472ba703a7b124134d65c093e8625c1898b2c6a

SHA256
47a3aa0c125e1357f6845bbbfb7fe795d657eb90845dda0df0952658a817abe4

SHA512
64166cb757443d24902ce79433f4999e7f20cee7589649bd6a1b61919995ea433cdfb1e7d775d8977f1b64d0fdb62455b6d1802b5b7d0e67fa7cb1b689c2ec25

Download Submit
C:\Users\Admin\AppData\Local\Temp\serkxcnu.cmdline

Filesize
266B

MD5
bf89d351f2ccb87bb4f73af5be79d168

SHA1
ea5adc1f0926214cd8ec5b8821a0e33979bd36f8

SHA256
cf6a53e790e90b5c75cddaf28752ce95ca2e9f50b20596614057b0277fa32fe3

SHA512
b4902dac4d9ce8b8215d098deb5cb83006d1d9f055ffddedff045a27b8cf0a0bd33c4be65e85085d03da3efb630723a70c04733d0cfdcc4cbb17e363f1360543

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0BE.tmp.exe

Filesize
78KB

MD5
84ede67a4bc4070c2418b757e46a5aa7

SHA1
0c64a6025121b721b534b7219dcfceccd9e66537

SHA256
de3dbf90e7337c4853124a275b965e49830a7e30725c57ce866b408a1aa933e6

SHA512
30cfe520fd34b2fa3e2ac117ac7b3fb735a51f490bc7c81810565c453cd387794c4c3cd39a7e37c9da19852113183a0f5a1a4bca2a84829425af11d8129dfff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE2D0.tmp

Filesize
660B

MD5
334535607d37d366f04f8e4890cb9989

SHA1
6bf95e4381cc1ff818467d4ec2174f52008452d9

SHA256
d71f608efccb424aaa7c996c40fb72af4c56ec3220099687e0dda62cd77a4fd9

SHA512
f52fc69ac0b9cfaf10eedf7d1172b991a6c35a33fa4589d19e859f4bfb87c8f2d12ec6c405085bdbdeb9ef9d3dceb3aeb1848d0ec3007c229804c877cfa3709b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/860-0-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

Filesize
4KB

Download
memory/860-1-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/860-2-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/860-24-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-8-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-18-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads