metamorpherrat | 244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7

General

Target

244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe
Size

78KB
MD5

20f8e4e8ecdd696b568cc83791952e10
SHA1

4732691dd93ba801f238e261e64ab7a60cc4f78c
SHA256

244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7
SHA512

03683f430258fc1650369dadd61003284eee8bd03805c89a372c542071b05d0c35088f65c75c8f627e69e2a06009ecf15272554788bd07c3f4c3e51eb4b28bd0
SSDEEP

1536:LRy5jJLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6G9/C1BUJ:LRy5jhE2EwR4uY41HyvYO9/lJ

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2676	tmpCD6D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe
2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpCD6D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCD6D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe
Token: SeDebugPrivilege	2676	tmpCD6D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1636	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe	31
PID 2204 wrote to memory of 1636	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe	31
PID 2204 wrote to memory of 1636	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe	31
PID 2204 wrote to memory of 1636	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe	31
PID 1636 wrote to memory of 2844	1636	vbc.exe	33
PID 1636 wrote to memory of 2844	1636	vbc.exe	33
PID 1636 wrote to memory of 2844	1636	vbc.exe	33
PID 1636 wrote to memory of 2844	1636	vbc.exe	33
PID 2204 wrote to memory of 2676	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe	34
PID 2204 wrote to memory of 2676	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe	34
PID 2204 wrote to memory of 2676	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe	34
PID 2204 wrote to memory of 2676	2204	244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe	34

C:\Users\Admin\AppData\Local\Temp\244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe
"C:\Users\Admin\AppData\Local\Temp\244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\abltk_em.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE28.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\tmpCD6D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCD6D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\244beba967d8d33558ef2f2bf831aad8462fa605d2a62a43e8d35a50242e86b7.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCE29.tmp

Filesize
1KB

MD5
666b58ab9bd18e805cbd06ea71758cec

SHA1
b4e188322b9273d2316f8cb2d31d335284d6134b

SHA256
451e74a2bd239bc45589d60575bfec2f6ecf77854cf58fd08f19fd988c20ce86

SHA512
2c65c05e6ba64285901cd2c9dfc1aa9d1dc79afc7d213276c08eaf851401c8cd8d27b81575909341b9b117462276a8a9c6757f59058f5f8025379d02569b5865

Download Submit
C:\Users\Admin\AppData\Local\Temp\abltk_em.0.vb

Filesize
14KB

MD5
686667ba57f9c319af78bf03355ae9ff

SHA1
d1d60e8543bbbb3cd3dcaa0cd3309f926dae921b

SHA256
2a6cc8cf4ce36988d55751efd1afc1059109f214b753db9b9924696cfc492dfb

SHA512
bb853497f3f53544c2d3e74de16041e6a6bcb6647a399c7cb7c90ad846831987284c81cbb4a393502558f7677ec34f939bed320c103ec4a2342fb4641b93d2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\abltk_em.cmdline

Filesize
266B

MD5
b9604dc5d6287348355e74334a06678e

SHA1
d6e5767a4564b690e17a1d53351e2de47d3908cc

SHA256
726a1a46eaeddf94dcbc4927a805f2121018f76abf883effd84ad096eaa72670

SHA512
453588383e89d631ffe0855306d4fd20369767e6cc586d3323f311feed170dc54733eb3fb7c1df6c2e3a665df88f0361cd55cc789dc9ce326d78a06fa10485d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD6D.tmp.exe

Filesize
78KB

MD5
4f0e21e9fca4429258ed95dbd692412b

SHA1
6b3de02eb1fd9cd35bf26778d08d8799b2966672

SHA256
44c2d1615a0d6508f6ecf8aeb9dfbf919668a33fdfdc07bdd1d5a1d8c47cb981

SHA512
53cb9b748042d39cc7358763f47b3797004784fdcfcb2173dc13d3011e3490fac89a302b2383ef7815530e57ee8dad256f5e26aa2c0dfdba1ce0ee17b45d00e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE28.tmp

Filesize
660B

MD5
6fa4df9ef75aaaa80f135c5a3178e955

SHA1
81fd632408ffaecac9d4bb27cf265906da9a7bfd

SHA256
ad94cc2be31388d9365e47d4806fd56ef9f687ca6396c4ed8af02caa8906bfdf

SHA512
c191724e7d46f548a22ee2627c12e4eb63c39eef7eae7f31ed659ad7f77a29ac429c1fe0c5784c74007001e71ec65f1932ba07582125c24586f903cc803cb162

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1636-8-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-18-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-0-0x00000000748F1000-0x00000000748F2000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-2-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-24-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads