metamorpherrat | 201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962

General

Target

201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
Size

78KB
MD5

5942ed3d6f90ec614203e77d4f0707d3
SHA1

2c87cbe565475809dfbe124ab54cf193656e97de
SHA256

201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962
SHA512

310b51f7c47032c09c36aee24523d548330424331fad70cff240de3b859539910c0013573ce2fbb1ed3f4cb18013760d8ead70f80906d395478549d1e2e0c798
SSDEEP

1536:4CHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteB9/e1Cu:4CHY53Ln7N041QqhgeB9/6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
1912	tmpA69B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1912	tmpA69B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA69B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA69B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
Token: SeDebugPrivilege	1912	tmpA69B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1248	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	30
PID 1956 wrote to memory of 1248	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	30
PID 1956 wrote to memory of 1248	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	30
PID 1956 wrote to memory of 1248	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	30
PID 1248 wrote to memory of 2884	1248	vbc.exe	32
PID 1248 wrote to memory of 2884	1248	vbc.exe	32
PID 1248 wrote to memory of 2884	1248	vbc.exe	32
PID 1248 wrote to memory of 2884	1248	vbc.exe	32
PID 1956 wrote to memory of 1912	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	33
PID 1956 wrote to memory of 1912	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	33
PID 1956 wrote to memory of 1912	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	33
PID 1956 wrote to memory of 1912	1956	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	33

C:\Users\Admin\AppData\Local\Temp\201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
"C:\Users\Admin\AppData\Local\Temp\201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lsqtigev.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7F3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Users\Admin\AppData\Local\Temp\tmpA69B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA69B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA7F4.tmp

Filesize
1KB

MD5
ffce595ceac4639fdfc31071aabb1a1e

SHA1
5f5b49ee619549783d6c556f86fa4ff3704f687d

SHA256
bfeaa2b302b3344c494044149e9cc49ac0cbc0a3cedcc935f9aff57d968beadb

SHA512
28f5d4f5e0e2cd5ef5c0fa779869325f68c94c4a739553c797779cd9031bccb338b12aff0f022010666edb8cda22b686ef43ef29bad3f47dce8ee30a2edb5b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsqtigev.0.vb

Filesize
15KB

MD5
dc479f3239e920eba98b91af9a4be441

SHA1
d30dbfb6298d505efe0d13bda8c8224949160a42

SHA256
a499bb543b20839d5613da581f24d762e1f2bbd3e76b37d838f64e80c0fe7c4e

SHA512
2c96934d94c00d2a5fccc100d793391452f996d4fd1eee8ca5ef964d529c43969b090fb37c9fde1fb8ba796eef84edc527ba2d0887dde3eda07caac4cbc1f92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsqtigev.cmdline

Filesize
266B

MD5
d1623c4a3842be75127259b73649c73b

SHA1
f642cd277a36d20ffd0f228f1002883d18429096

SHA256
e18ced15abaf3318398fb3b84dd89af28cd3ff9884702325329d084fb928eeb3

SHA512
681fbe71a17c6f0285707f90a2cd436d068795db57a06cecbcdc543e684e675373a871d5e7422749586e648e7e77cf18db3a4ef28dd517d816bd18bb465ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA69B.tmp.exe

Filesize
78KB

MD5
d91f13ee07930cb878ca0b136cc60285

SHA1
2b30beeab7d048955521a2909391f049b68fe3ee

SHA256
b64a884abf11f4d4dc9edff94bc53806f3c2268c39f65db07e092ff6874c89ec

SHA512
6cdbe2408d54f355ddf98b027079ca68d21dafa576b1bb6580abe6f758bf5704c7fbca33bc97fc37873edfd17c6875d9b489baf5e1648c2796763520317bc290

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA7F3.tmp

Filesize
660B

MD5
2a8084bf88bdfb3abccb25a42daaa6e4

SHA1
4386fbeaa827f8f86d55b77e77506b23347838cf

SHA256
f8c730e274403eae4fc0a607c3096de2f9393f2f4573e52b51f8c3dc29bff411

SHA512
9efb7ea0c42a3481524a1d557337ba0ad7e9abf1eebca3d0c51766a7839bfabc86fcfc84cd1759f08079134e839020bb78008ff8cd23e896dcea76a75e9fb108

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1248-8-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1248-18-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-0-0x0000000074E21000-0x0000000074E22000-memory.dmp

Filesize
4KB

Download
memory/1956-1-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-3-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-23-0x0000000074E20000-0x00000000753CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads