Overview

overview

10

Static

static

3

a6916638ee...5c.exe

windows7-x64

10

a6916638ee...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe

  • Size

    78KB

  • MD5

    7ee472bfd0e44c494ea26d3f028a578e

  • SHA1

    85c00e765a09c3f0fcbbb143d808fc3234b7ad59

  • SHA256

    a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c

  • SHA512

    397db579c4a9013b76af8ff8f2cb98f382cdafcdf2f9f508d9127bd7d889072db435ad9feaee1ee7ad8bd6fea05b1c3a8e7d02d6a99b8945adb5d4d820aff348

  • SSDEEP

    1536:DCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtRj9/q1gQy:DCHF8h/l0Y9MDYrm7Rj9/ay

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
    "C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ptub7ots.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A416DF7F19A43F5A3D8AA67149E5D75.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4332
    • C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6916638eeed4aa8f0d538a03557e6cb2301ac04379ecdf0eebfdbb916a2935c.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES9C30.tmp
    Filesize

    1KB

    MD5

    fd17bb941d748d5317890489525dc2bc

    SHA1

    5d701e02995c55ab53590c8bafca512c24e60caa

    SHA256

    1bbccfa951d6f4e5d3149dacf43117d11ce05e9da0a2ce2ba2925c9dbb8b4935

    SHA512

    78a6503cf733f099a47eedf3565c0b604a21a2487286856ad6c065cbda7bedc4ab4c9c6a94550d4c0bae2ac33e24b7b12d845e6372cb2c0acd22db7411fb87b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ptub7ots.0.vb
    Filesize

    15KB

    MD5

    edceb18018b3b798b1b9cb5be7a8bd28

    SHA1

    0ac61acdf977cf026b843093fea355eb915e1f88

    SHA256

    20fc8b5303823a8ff1968ea14867637a4fd76f8d1d1de10b36d306fd3793f4ac

    SHA512

    1c4f1a442f95ef8d93a3ba7f10b87561b34ba9378f1fc52ef5632a27031072678135761f6a449bb816761f02486ab8c56f78b3384ce5ee2f8585eb617da1b54a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ptub7ots.cmdline
    Filesize

    266B

    MD5

    eb9c85deb95ac00c812a7ee5cf009aef

    SHA1

    9cf0a11af9a60e926dd156d33c40384b3f7a77cd

    SHA256

    575cdf819b8171e1870a58aee31658edb2af05c902c0e1665fb2bb9a75c11b3e

    SHA512

    8c7c5117a3257973718b143ca48ba47c3fa7d551d85ac41b25ad291ba7d0f5265ae83f5c79deb6875e91ccd9dc2e9c87592e3c90cdc34e629c4794e7f9ec1d99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp.exe
    Filesize

    78KB

    MD5

    6a27887a5b4ff5dc8f356c0eb4a4378f

    SHA1

    d435ef9285c53c2c4272f9ebd6fd96b55778bb9e

    SHA256

    0596aec1bf187d3fa6f1c7494f6203f08b8d3857b241a69f0babb1c502b168b7

    SHA512

    1b0ebf6ce4114f59e0bd4308e0f64adc48476e9aff6e11cd3590e433521a08df298e29ddfb79e4addf14931fdbbce893f30c1c70a5249b601972b969490099c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc1A416DF7F19A43F5A3D8AA67149E5D75.TMP
    Filesize

    660B

    MD5

    99dcd86ec0843ea94dd6847ebf850237

    SHA1

    2b2f2b2794af04223e02e931ff687b8ad395f0fe

    SHA256

    3ee1ce404508f7aff28393722a954b8b6b8cb565bf30a2c3ed0c36fdbfa623ec

    SHA512

    35e0cd56cec52c2d8c38238cf05204b3dcecbbaebee2ecf9782abe15c332ec8f18a63c022eb11ce737f6a861cc2a5e2a14bd34f6a5a99d41138a80979607e4a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

    Download Submit

  • memory/216-27-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/216-28-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/216-31-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/216-30-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/216-29-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/216-24-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/216-23-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/216-25-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-9-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-18-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4272-22-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4272-0-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4272-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4272-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

    Filesize

    5.7MB

    Download