metamorpherrat | a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924

General

Target

a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe
Size

78KB
MD5

00f71a862f45d6675e0ac2c5701a2241
SHA1

6387b815e3a747c6aadda819bb138b1e406847c7
SHA256

a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924
SHA512

1fe42e4ddd46714a2a8d832a219c5a2515cc78bdba87cdd02f88605838e355686cfda036fbdcece16b6480d706f240760477b28d7db83cba99a14aef41ee1998
SSDEEP

1536:RCHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLd9/J1hg:RCHFbdSE2EwR4uY41HyvYLd9/K

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3020	tmpEA01.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe
2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpEA01.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA01.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe
Token: SeDebugPrivilege	3020	tmpEA01.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2680	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe	31
PID 2788 wrote to memory of 2680	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe	31
PID 2788 wrote to memory of 2680	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe	31
PID 2788 wrote to memory of 2680	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe	31
PID 2680 wrote to memory of 2848	2680	vbc.exe	33
PID 2680 wrote to memory of 2848	2680	vbc.exe	33
PID 2680 wrote to memory of 2848	2680	vbc.exe	33
PID 2680 wrote to memory of 2848	2680	vbc.exe	33
PID 2788 wrote to memory of 3020	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe	34
PID 2788 wrote to memory of 3020	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe	34
PID 2788 wrote to memory of 3020	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe	34
PID 2788 wrote to memory of 3020	2788	a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe	34

C:\Users\Admin\AppData\Local\Temp\a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe
"C:\Users\Admin\AppData\Local\Temp\a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zoknhbt8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB1A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\tmpEA01.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEA01.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a8abe34ebbc1ac8c3b07289239cd3bf0c5fe177aef4bd30df0ff06cd8d553924.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEB1B.tmp

Filesize
1KB

MD5
9ee44b19f7312c08f0d8d5590adbf01d

SHA1
dd38b0b303ca319f7c32bea8d29c42cda99094d2

SHA256
dda6a9c3d96c7fc5b4b568c04603910c0507871f29074397cf75477520dac4e5

SHA512
0fbfb4f531b684fe77f9bf816f739826f6da469e44e0f6719270edc60073d70002ec8e39527b543ecfdb81f267cbfbf87e10944ad75510b5f36fd964708a14eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA01.tmp.exe

Filesize
78KB

MD5
547054f1cfe297300fa096d6a754d96b

SHA1
e500316c6eda119b388c1782c1371a88f78bd552

SHA256
e096df9abfad185fe2c3d3811a2adeb5d00e55b151882eba313af69af677af29

SHA512
78202932743abd7e6ac31f86205846c86f6bc7e9efb7413ffcdfe01550912d9087409427dd75e7c5084de2f1780eb922af583310a1228f450b7051f0a2f2f647

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB1A.tmp

Filesize
660B

MD5
2a05c5189ec616dbc5ab510302ec794f

SHA1
11da0aeeeda54c30aa4d5b0451a80687d43c19e6

SHA256
aafc55f803e1354b4effce5f47c0f267cc91267dbf02de70b72ee34ac27c7ece

SHA512
3592062f69c74ba8786632570c64c3d6ddacd0cf902917f56da7297bae8a1a15655f7a93568771443364e53d644b8de9fb2283c75ec5cdf5c316effb1941d7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoknhbt8.0.vb

Filesize
15KB

MD5
d12f4138c84492ccd97348e83f0cae7d

SHA1
02d86c6674a5657fdceb511ae1bb6dc10cd659b6

SHA256
13335af4efa093e9ec3cdf540d03c3698d1236474c959d05dfb5b6c54d98e678

SHA512
7abe882c70b61b6f4c841029d27eedb94083d43d35e36f5b4a72b8ee13f3f0c43348757b941cfc539ba7d64f896f58ebf43033a7a040a9eec4e8ee9b151b28eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoknhbt8.cmdline

Filesize
266B

MD5
3ac105ca2edb0e7ece7ed7a4a4ce1a15

SHA1
687ca49798e52312e38e872ca4efd3195c13f3d7

SHA256
732858b629ed1637060d67d41f080455d6bcad54ca9ac5dbea36b2e60497e223

SHA512
e80758483d83ba355bc90b427d469aba64b03f84c0fca514fe6bb909860581503627be86bcfb491fe23c954efb33290558a42de26ef532c231654572803d0d85

Download Submit
memory/2680-8-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-18-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-0-0x00000000745A1000-0x00000000745A2000-memory.dmp

Filesize
4KB

Download
memory/2788-1-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-2-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-24-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads