metamorpherrat | 201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962

General

Target

201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
Size

78KB
MD5

5942ed3d6f90ec614203e77d4f0707d3
SHA1

2c87cbe565475809dfbe124ab54cf193656e97de
SHA256

201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962
SHA512

310b51f7c47032c09c36aee24523d548330424331fad70cff240de3b859539910c0013573ce2fbb1ed3f4cb18013760d8ead70f80906d395478549d1e2e0c798
SSDEEP

1536:4CHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteB9/e1Cu:4CHY53Ln7N041QqhgeB9/6

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2900	tmp79D1.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp79D1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79D1.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
Token: SeDebugPrivilege	2900	tmp79D1.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2712	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	30
PID 1992 wrote to memory of 2712	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	30
PID 1992 wrote to memory of 2712	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	30
PID 1992 wrote to memory of 2712	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	30
PID 2712 wrote to memory of 2836	2712	vbc.exe	32
PID 2712 wrote to memory of 2836	2712	vbc.exe	32
PID 2712 wrote to memory of 2836	2712	vbc.exe	32
PID 2712 wrote to memory of 2836	2712	vbc.exe	32
PID 1992 wrote to memory of 2900	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	33
PID 1992 wrote to memory of 2900	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	33
PID 1992 wrote to memory of 2900	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	33
PID 1992 wrote to memory of 2900	1992	201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe	33

C:\Users\Admin\AppData\Local\Temp\201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
"C:\Users\Admin\AppData\Local\Temp\201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nkl7zpg4.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A7D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Users\Admin\AppData\Local\Temp\tmp79D1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp79D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\201221fa64f211486a97d17aa18224a7f1a8c2621177866cc7549c21c0333962.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7A7E.tmp

Filesize
1KB

MD5
2941e26e160c03006dd4d36cd46f8eb4

SHA1
96844d0fd89b935de4417700afba9ece8af1b717

SHA256
60b5eb621f857b2f379ad43dd779fcbc9a5d469d28ccc594d54982d4643143e6

SHA512
6d10460cbcc91fa34e2f3617e45f0c22b50cb2eba0406d4cbecf4fad07a0f4b6661af47268cf04c08e90fc255ba050dc898394091a6a614c09aab91a4b2fa46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkl7zpg4.0.vb

Filesize
15KB

MD5
036eec078ae033fd0141a8ba48ad68c6

SHA1
4002aa0eb2a1bc4a84c63717b9535f7aad37cda2

SHA256
00c957f6a0cb3c75725f5c64de50cda8d8333e5e9e82e2b912c038b0456a7e60

SHA512
27f377654ae4055f8f32fb4f75d007dcc6bfccdb57234bba12f4c44927bcc835a684e224bdb71e9189e3e5508ffb638c5e9ec1e2b36777f73ab9a28a9f1a057f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkl7zpg4.cmdline

Filesize
266B

MD5
8ae5158f0ab211d54061af7084eba2d2

SHA1
d7e403330972f6e0b8c5b5a4101b5bebe7da0c8f

SHA256
1ba60c3985e2b64b49621b49a6d7ec40e37824227eb286473037dcb60e94b890

SHA512
3167921ffb7e90eca47714c141938ed1bd52c9acbdc9caf47f2a3fa7e16a5f92c46e64d47fd7f4eb949a0bbe59b95ed8302d5b2685df825694fc662b9654de91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79D1.tmp.exe

Filesize
78KB

MD5
24d13a69bcbfcf3b21dc5a35ae97050b

SHA1
cb6787b584eef2bae866c5341d0d2621ca3c2edb

SHA256
0bdb765d9cbbe0d1a0750616d4baccb0de625fee457fcafaf4e24f7e32bd3764

SHA512
7a8334329154190977716cc55680aed757c5a2f8cfd18f030595456c8a92ce6eb3a1f90ccb2ef909ea6e2f792868053f8f65e4533515baa2894233e8e0dcbd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7A7D.tmp

Filesize
660B

MD5
bc68b995c42716ca1a77333ae78bd213

SHA1
31b82d75ddb4435c52c0aef4e6de60b839af8fd2

SHA256
215d324a51ef781dbaf1818b93239b25fca21fc63c9d85ab40090c7613c5e12f

SHA512
0c548ab5af4a826beaa555f2bc5fd5f5a6966fd4f8f9fc95e4753b4f0efe34ca950f14c4c0f96043bdfcf044f3659d713e86bfa9d9064b5f8b2f3897f8f0dbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1992-0-0x00000000747A1000-0x00000000747A2000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-2-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-24-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-8-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-18-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads