Overview

overview

10

Static

static

3

4827e34eea...9a.exe

windows7-x64

10

4827e34eea...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2024, 02:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe

  • Size

    78KB

  • MD5

    01658283871862263343db8c80526e20

  • SHA1

    7304d9cf47d70ccd9a54892e53205ce8ed86d33e

  • SHA256

    4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a

  • SHA512

    3b62bd87ffd3910484728d3e21f2c7d759b823b0575ff9773ab33010581617e38646d3ce1733d4f7be80a26d7c72483720e86961803431364ad97a53f2693e66

  • SSDEEP

    1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+A:UPy5jS6l0Y9MDYrm7f9/qXA

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
    "C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7zgvjfts.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4947623C831E445F90404EA5607560DD.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4072
    • C:\Users\Admin\AppData\Local\Temp\tmp7474.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7474.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:116

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.90.14.23.in-addr.arpa
    IN PTR
    Response
    82.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bejnz.com
    tmp7474.tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    bejnz.com
    IN A
    Response
    bejnz.com
    IN A
    44.221.84.105
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmp7474.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:37 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=37eed69beb49dc9a4a9ea28f79e84514|181.215.176.83|1733539177|1733539177|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    105.84.221.44.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.84.221.44.in-addr.arpa
    IN PTR
    Response
    105.84.221.44.in-addr.arpa
    IN PTR
    ec2-44-221-84-105 compute-1 amazonawscom
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmp7474.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:40 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=b1e6e51c1d3e243352bf59ba04d321e4|181.215.176.83|1733539180|1733539180|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmp7474.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:43 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=58273a3c32b405ec6b183b70df56dba5|181.215.176.83|1733539183|1733539183|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmp7474.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:47 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=cb2478b7966f0dcb9e3ec931ced33a83|181.215.176.83|1733539187|1733539187|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmp7474.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:50 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=7cac9e14566824f7709bc0f0ba07f783|181.215.176.83|1733539190|1733539190|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmp7474.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:53 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=7753c2ca2296616290c53dcb3994ec05|181.215.176.83|1733539193|1733539193|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmp7474.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:39:56 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=256073504de9a8d8adcd6c3c9621ee39|181.215.176.83|1733539196|1733539196|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://bejnz.com/IP.php
    tmp7474.tmp.exe
    Remote address:
    44.221.84.105:80
    Request
    GET /IP.php HTTP/1.1
    Host: bejnz.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 07 Dec 2024 02:40:00 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=539c3ac95641cdb7805d492561ccc58b|181.215.176.83|1733539200|1733539200|0|1|0; path=/; domain=.bejnz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.111.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.111.221.88.in-addr.arpa
    IN PTR
    Response
    25.111.221.88.in-addr.arpa
    IN PTR
    a88-221-111-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmp7474.tmp.exe
    295 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmp7474.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmp7474.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmp7474.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmp7474.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmp7474.tmp.exe
    317 B
     625 B
     6
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmp7474.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    http://bejnz.com/IP.php
    http
    tmp7474.tmp.exe
    271 B
     625 B
     5
    5

    HTTP Request

    GET http://bejnz.com/IP.php

    HTTP Response

    200
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp7474.tmp.exe
    520 B
     10
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp7474.tmp.exe
    260 B
     5
  • 127.0.0.1:127
    tmp7474.tmp.exe
  • 44.221.84.105:80
    bejnz.com
    tmp7474.tmp.exe
    260 B
     5
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    82.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    82.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    bejnz.com
    dns
    tmp7474.tmp.exe
    55 B
     71 B
     1
    1

    DNS Request

    bejnz.com

    DNS Response

    44.221.84.105

  • 8.8.8.8:53
    105.84.221.44.in-addr.arpa
    dns
    72 B
     127 B
     1
    1

    DNS Request

    105.84.221.44.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    25.111.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    25.111.221.88.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zgvjfts.0.vb
    Filesize

    14KB

    MD5

    61a8d4ba1abac78b3c3d42230459db90

    SHA1

    a4881cc2ecb890a8704ed100167081adbd13cc41

    SHA256

    49e761021077811d9b2515582e6c8b1e1228590001c4795c984b7ffe12bbd016

    SHA512

    41f46d6c4df44976426df86ce61953064a89810bc0ac55a2bfc8ea6c8373efdc8ef8677e0d78bcdba6958c1779e15644c018b94e73e8694e82452067118434a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zgvjfts.cmdline
    Filesize

    266B

    MD5

    7fbf1009908a5e0ff5d2c6e6f0e2c114

    SHA1

    61bf211899b770f8812730780be5c9d4efc72225

    SHA256

    acda48cb9e1de78a7d1dd8a26bc2878ba80a060f2d60c351552f709016aeffc4

    SHA512

    0cf603e4aab71d98df471626b2dd87ff4e7ed17fd44d99a24109e3193d266c6606dde4f8a4802c3bdad4f38021b7a50284514a08b5ce609eb14b3dc2759a11fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp
    Filesize

    1KB

    MD5

    25fe61d3fdef4790a782d2193f553304

    SHA1

    9f21d5a9e06664eb68f7fd8d030a6fdbf2b19662

    SHA256

    f89a1d820e5f9aea58e31b95c8098180ec38e7021b2e0e78fb25647aae92d81e

    SHA512

    4a8e6799df06a5c53b2c30bd1312ded7a860a2e52d610dab01d5135f9bbd10d2e37b4d6b2090aaccde98fb634c5747419bba950ef182c7389959f58164eb4dff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7474.tmp.exe
    Filesize

    78KB

    MD5

    6a79741fa39cbd6a7445c04bcc66cb4e

    SHA1

    aa6141c3e7799003e61dfe1f318b37bb46f61688

    SHA256

    ecb95656b4f068e6e16ccadf279176df4b7eabb4a6ee0f74b629e07a2028ea5e

    SHA512

    3aa5529713981857010ed56123db9153031a37e421d13d8b26113c94b5c772763f87dfde498ffeb6000a71d52bec1cdaf2a46b57faa97390990e9950c85ac707

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc4947623C831E445F90404EA5607560DD.TMP
    Filesize

    660B

    MD5

    f6736a501aa56132a8c7afd2bac5cfef

    SHA1

    9e697b344b3ec613a37354d5d6a5ced2ed237c1b

    SHA256

    d821b0df28d9bb77668c3ccb7227526aa462bf4af80eb7f8bf74e06841b9c8d6

    SHA512

    77ca0edba9c00e7f034604e8638bcad1cc97e3067c83472599e5a2cf2d5288c606ead2133b897c5e13b82968b1a9f5f78ac8e0686c3d5338daa3acaf045db342

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

    Download Submit

  • memory/116-23-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/116-24-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/116-26-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/116-27-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/116-28-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/552-0-0x0000000075532000-0x0000000075533000-memory.dmp

    Filesize

    4KB

    Download

  • memory/552-1-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/552-22-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/552-2-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1052-9-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1052-18-0x0000000075530000-0x0000000075AE1000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.