Overview

overview

10

Static

static

10

b8b78dcf13...d2.exe

windows7-x64

10

b8b78dcf13...d2.exe

windows10-2004-x64

10

b8d253be83...33.exe

windows7-x64

10

b8d253be83...33.exe

windows10-2004-x64

7

b8ed4395ab...f9.exe

windows7-x64

7

b8ed4395ab...f9.exe

windows10-2004-x64

7

b93347150f...89.exe

windows7-x64

1

b93347150f...89.exe

windows10-2004-x64

1

b936c3a846...59.exe

windows7-x64

1

b936c3a846...59.exe

windows10-2004-x64

1

b985e2e2a0...ef.exe

windows7-x64

3

b985e2e2a0...ef.exe

windows10-2004-x64

10

b99adb733f...40.exe

windows7-x64

10

b99adb733f...40.exe

windows10-2004-x64

10

b9cfd0a072...65.exe

windows7-x64

10

b9cfd0a072...65.exe

windows10-2004-x64

10

b9d4ce4583...bc.exe

windows7-x64

10

b9d4ce4583...bc.exe

windows10-2004-x64

10

b9eb72c666...72.exe

windows7-x64

10

b9eb72c666...72.exe

windows10-2004-x64

10

b9f7b13b1d...ef.exe

windows7-x64

10

b9f7b13b1d...ef.exe

windows10-2004-x64

10

ba0566e43d...23.exe

windows7-x64

1

ba0566e43d...23.exe

windows10-2004-x64

1

ba21b0abda...c0.exe

windows7-x64

9

ba21b0abda...c0.exe

windows10-2004-x64

9

ba4d84a77a...85.exe

windows7-x64

10

ba4d84a77a...85.exe

windows10-2004-x64

10

ba598ceed6...17.exe

windows7-x64

10

ba598ceed6...17.exe

windows10-2004-x64

10

ba6c7a8dc7...59.exe

windows7-x64

10

ba6c7a8dc7...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9cfd0a072e3e0386a247f51c2191a65.exe

  • Size

    78KB

  • MD5

    b9cfd0a072e3e0386a247f51c2191a65

  • SHA1

    88dac9c88aab956be038e06aaf7388605657c868

  • SHA256

    6d6b0f0a08acaef445833b1a9347a17ef59928295dfdb5f20c9e6f629ac5dba0

  • SHA512

    a7a12d2843fefa387b2e11466336360bf8fc02bdc86b38724a87ef42a6ad60c7e66ed227d56e8feb13314705a8ae35eab59e8d1608a37ba03a7b02ee3e10563a

  • SSDEEP

    1536:EsHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQts9/Z1ik:EsHY53Ln7N041Qqhgs9/r

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9cfd0a072e3e0386a247f51c2191a65.exe
    "C:\Users\Admin\AppData\Local\Temp\b9cfd0a072e3e0386a247f51c2191a65.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1ji_wtpm.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4CC.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2208
    • C:\Users\Admin\AppData\Local\Temp\tmpD411.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD411.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b9cfd0a072e3e0386a247f51c2191a65.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1ji_wtpm.0.vb
    Filesize

    15KB

    MD5

    58fb1207ecab060dbb9c23774d35577e

    SHA1

    61cd1178722b2584ca0663459040c29620669be2

    SHA256

    c203dcbfd86c3b3867c1abba287a9788be52d39a9cc5b3d3f3a136ebebb01826

    SHA512

    1d97f5333b1132504339964368aee55c4bed3c885cefba3bf5fb78f2d2d637e5ef002f23430592f5d3c182dcdd220b6ae5db6e4292bdf3c4839d7b5f45f5c447

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1ji_wtpm.cmdline
    Filesize

    266B

    MD5

    fd73b65f7a03c580567097aef4b0f724

    SHA1

    97b81ce90e394a8847ea100cd0deb3fc419adc9f

    SHA256

    a185633621c31a1fad4db74b219d682e9c166e35dbc1deb576fde21c3d8e4cc5

    SHA512

    c1a741b8540da7bd0f0835415c36a854a6803af2f611aa55ef3e060f9e0d4c9d12b10674c0a39e97da7875706818aabadd754ebeb99d7e27fb645b52df9a242f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESD4CD.tmp
    Filesize

    1KB

    MD5

    099de3cc162f82538f41e5b624573b89

    SHA1

    7548d0a71dc2b8eafa91942a7db83e79da7d6dc7

    SHA256

    b8dc9ef350be4ac0c5467adc045df81baaadfcec03ff5a5ad1319a95bde8f7b5

    SHA512

    65c87eef58ff419a8dbf959e4e54adb1d16b0f8be553209f52d6e32f625ccf82503961834df4b6dec906101f13afffa77624f854dd5ec925566d0645a9469649

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD411.tmp.exe
    Filesize

    78KB

    MD5

    254559f5fd6760ef77920ed5d63b82c7

    SHA1

    b2df78aadfbc41ec4bfc1a08702dc2b824745d5a

    SHA256

    e34cfacf5dcdedf06edc62d711f479b070da921c290cb23dbdc5031ab479c11b

    SHA512

    611677ed274795b8dcca607e12705b4b72053e446e0d8f5f84799518e3bb8e82004ae80c01c8f09c12110952f0a44df06597d5e56dba3a2e163cbe7f843bf342

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcD4CC.tmp
    Filesize

    660B

    MD5

    f3c2747c721ce1e978a5605e1b6cbcb3

    SHA1

    3203dbac9aefca1b5390be8fa4b62b905d8cf7c3

    SHA256

    a99343529e7b997fd5e94b6d7f101db70e6133c0a70869235f4d69e389e718eb

    SHA512

    3468ec4516d4cca660b8747c709c013e2026d537a5e64216bf6040fc87e03a5aef6bd86afd343e8bfd81e9bfb6345e44d7992859e854acbcecc2e8f0c2a73b67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/1480-8-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1480-18-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-2-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-24-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download