Overview

overview

10

Static

static

10

b8b78dcf13...d2.exe

windows7-x64

10

b8b78dcf13...d2.exe

windows10-2004-x64

10

b8d253be83...33.exe

windows7-x64

10

b8d253be83...33.exe

windows10-2004-x64

7

b8ed4395ab...f9.exe

windows7-x64

7

b8ed4395ab...f9.exe

windows10-2004-x64

7

b93347150f...89.exe

windows7-x64

1

b93347150f...89.exe

windows10-2004-x64

1

b936c3a846...59.exe

windows7-x64

1

b936c3a846...59.exe

windows10-2004-x64

1

b985e2e2a0...ef.exe

windows7-x64

3

b985e2e2a0...ef.exe

windows10-2004-x64

10

b99adb733f...40.exe

windows7-x64

10

b99adb733f...40.exe

windows10-2004-x64

10

b9cfd0a072...65.exe

windows7-x64

10

b9cfd0a072...65.exe

windows10-2004-x64

10

b9d4ce4583...bc.exe

windows7-x64

10

b9d4ce4583...bc.exe

windows10-2004-x64

10

b9eb72c666...72.exe

windows7-x64

10

b9eb72c666...72.exe

windows10-2004-x64

10

b9f7b13b1d...ef.exe

windows7-x64

10

b9f7b13b1d...ef.exe

windows10-2004-x64

10

ba0566e43d...23.exe

windows7-x64

1

ba0566e43d...23.exe

windows10-2004-x64

1

ba21b0abda...c0.exe

windows7-x64

9

ba21b0abda...c0.exe

windows10-2004-x64

9

ba4d84a77a...85.exe

windows7-x64

10

ba4d84a77a...85.exe

windows10-2004-x64

10

ba598ceed6...17.exe

windows7-x64

10

ba598ceed6...17.exe

windows10-2004-x64

10

ba6c7a8dc7...59.exe

windows7-x64

10

ba6c7a8dc7...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9cfd0a072e3e0386a247f51c2191a65.exe

  • Size

    78KB

  • MD5

    b9cfd0a072e3e0386a247f51c2191a65

  • SHA1

    88dac9c88aab956be038e06aaf7388605657c868

  • SHA256

    6d6b0f0a08acaef445833b1a9347a17ef59928295dfdb5f20c9e6f629ac5dba0

  • SHA512

    a7a12d2843fefa387b2e11466336360bf8fc02bdc86b38724a87ef42a6ad60c7e66ed227d56e8feb13314705a8ae35eab59e8d1608a37ba03a7b02ee3e10563a

  • SSDEEP

    1536:EsHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQts9/Z1ik:EsHY53Ln7N041Qqhgs9/r

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9cfd0a072e3e0386a247f51c2191a65.exe
    "C:\Users\Admin\AppData\Local\Temp\b9cfd0a072e3e0386a247f51c2191a65.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\socwl0yj.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES738A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3CC99AFBD3494E5B9B31922F52ACC813.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:672
    • C:\Users\Admin\AppData\Local\Temp\tmp7223.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7223.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b9cfd0a072e3e0386a247f51c2191a65.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES738A.tmp
    Filesize

    1KB

    MD5

    0a98121f0a07970d7f4d966aa2866a1c

    SHA1

    b4cda655305073e0ddb5ff10227bbbbd360159fd

    SHA256

    d9fe6ad8da91f684364724a5848b709ecd9fd1ef7b8fa5c92dbae4d9830d850b

    SHA512

    4551adc297e41b0abb6111841f5ee6fcd4fd3fcdc834f249fca945246b885033174c431cf4771b9ea5a63386c29e0fbb7dc58adb15a6f6717034bf2bd5a89d5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\socwl0yj.0.vb
    Filesize

    15KB

    MD5

    50ce934bd5fadd2dcc7c4049469e6f55

    SHA1

    a8bcf2e745f1848d0140e07b87b1e958cb9253a3

    SHA256

    82f0c51df5116a8bd177fa6fdafb7435aae486f1d4aca30195fcb7e7878af130

    SHA512

    6a3b3bb1a19ecb6bac1d04906176be851e115b626f00b82bc2667c36cd45c2ee04c07963c407bc30b84ab8e78053395e5cb7dfd9a99652956b9c6101a22ab85c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\socwl0yj.cmdline
    Filesize

    266B

    MD5

    fdc87699115aff1fd988c291a021df2e

    SHA1

    59a56aa74997333969add9025e8fa3db5ac1cae6

    SHA256

    0b82d8ead86042475cdfc5134fa9708d8b4e45e5f1a5017d755cd1e4a8e16fc7

    SHA512

    f1f26518e0706404fb503eb719ac5483fdf3c78b6b19b63ad81f53c20e5ef1c14420761f4f757e15e00d6cdaf11ca4b10a4d15daab852df959b6f8517071c0ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7223.tmp.exe
    Filesize

    78KB

    MD5

    0d9ac10f0d4d1feba2efa48a8e940e00

    SHA1

    05840d0b9a8b68f7e92e132a74e58e01d7d5a0a1

    SHA256

    3adf3bbc788fe52965aca74b3070f6eabc776ab06d707bfb51b56bc85f31a51c

    SHA512

    e4e478df778cc5191a3dfcfeb611689b298b3798aa25d5d8345777e27b8e8a80cddf3cc45961371ce2997ad8a86156bc8faadef10fd9bd1a79cfebc4082818fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc3CC99AFBD3494E5B9B31922F52ACC813.TMP
    Filesize

    660B

    MD5

    afb18eb9f79de26781fae166c10ad9c0

    SHA1

    0db00e5f93b24c252de5b91da2735562079a7c0f

    SHA256

    8a58bf075f16b28c5fcb0f65960e3c7f165dd8c1bd1ea41a23e1d7f0510a402b

    SHA512

    b45fc4d0afb0c8effadf29c40152ae46ffcd4f2cfe80eff0398a301e3709fb18030e9e2cc10461f20004bbd046703976b116c2bbbe58f799d6f54cd803492144

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/1984-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1984-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1984-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1984-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4144-9-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4144-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4596-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4596-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4596-25-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4596-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4596-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4596-29-0x0000000074BB0000-0x0000000075161000-memory.dmp

    Filesize

    5.7MB

    Download