metamorpherrat | a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdad1ff46d46963cc687d5f6889c9ef2.exe
Size

78KB
MD5

bdad1ff46d46963cc687d5f6889c9ef2
SHA1

16329a972f772675d1c55304ed703fcf8649c720
SHA256

9f935f8e74743d350a12fa3f517b6ef5e57c54d850e83592e7da680aa95f37d0
SHA512

12b4d7d257aa55abdfdd213e3f105cad45207973b40d653cd29d6c20e58b3f867883422eeb0176f8f5fbea1b088df64ab5e28a32efab2133d4612140ab93f5fe
SSDEEP

1536:tCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRF9//166:tCHFo53Ln7N041QqhgRF9/P

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2708	tmpB165.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	bdad1ff46d46963cc687d5f6889c9ef2.exe
2540	bdad1ff46d46963cc687d5f6889c9ef2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB165.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdad1ff46d46963cc687d5f6889c9ef2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB165.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe
Token: SeDebugPrivilege	2708	tmpB165.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 3068	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe	30
PID 2540 wrote to memory of 3068	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe	30
PID 2540 wrote to memory of 3068	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe	30
PID 2540 wrote to memory of 3068	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe	30
PID 3068 wrote to memory of 2848	3068	vbc.exe	32
PID 3068 wrote to memory of 2848	3068	vbc.exe	32
PID 3068 wrote to memory of 2848	3068	vbc.exe	32
PID 3068 wrote to memory of 2848	3068	vbc.exe	32
PID 2540 wrote to memory of 2708	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe	33
PID 2540 wrote to memory of 2708	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe	33
PID 2540 wrote to memory of 2708	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe	33
PID 2540 wrote to memory of 2708	2540	bdad1ff46d46963cc687d5f6889c9ef2.exe	33

C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe
"C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ttemagjh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB28E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB28D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB28E.tmp

Filesize
1KB

MD5
06d9d3de4ef8a71990c67c4563cb60f8

SHA1
9ee91ecd59d553cd82937cb141f2c0a22b19f24e

SHA256
eb1c17612d3a313aff9cd9a1ba6655b6c77bae858a73e56183842eb18daf8061

SHA512
edcda5e19b014dd1758e7279a9911e1ca65f6f7c0349e1f8776221864ba3b9c0a259759f0b678728475ebb612919a2323298b739be33ae5af1265815f16db391

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe

Filesize
78KB

MD5
2ffad7b028da14e091e95800f6dee93e

SHA1
b16b270b2977e02f0b169b0c7c7937c8219b2a5f

SHA256
aa963e81430f0769d2f9080cb80c93aed9e51432c73e525d20d14f14b2a60e3d

SHA512
b97c449475c188ed5f6f17553b5fd8cad2a98acb51418967a5bf6166efbcd993b12b50e9d4eadb2af13d23a43821f0425fb7099d0eff66d61a13f4b76fa06a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttemagjh.0.vb

Filesize
15KB

MD5
ecbe3946ddace22437d55add69031e39

SHA1
49e9276c3a90754c199f679e25f4ade42f6774df

SHA256
d34c9f6fbc39b8387b7d1af23636ceff244a440e18b58a0ac35620949652c2ca

SHA512
7e568599b50fd5becf6cc10c8b1e0f9359b98ce85cdb1405134c7c134c339058b1e8c7710c86bf531ec0b73c51b014b67933dec8d64f2e5497afabfe2580aeae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttemagjh.cmdline

Filesize
266B

MD5
a20cccad614be63de32716cfb84528bc

SHA1
e3c8fb9f89dc4a065cba053272a9453831ac53b0

SHA256
9f2ae327ad14ee8734848c3137c86f39f7fc0780339348516646adf6a7e1e0ec

SHA512
cb77c5391fbdf5ede427711567766085de886e3720ab750d7e505bd83bd2504cc7a5879204af819a8ace8e0dd9c997c6f2e5edc7394b41c7cf8c41979a2c9167

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB28D.tmp

Filesize
660B

MD5
5e80f47a3ec03e1a06232bfbb1966184

SHA1
ddbadf7d102fc8c0db4b46b21249a6d4b0fe2e21

SHA256
2f5e1046ce4d9f472b57e6ac1c9a8e53f50ec7e6c9d4f968198a2bbb00a37836

SHA512
9a6a5835ac84d48458d573f94cb3f63b9fbf8848c8cd3615a942e0ad38cd12568b0ae23a1e5ed2660858a4ee27daf858fbe646cf600c32165d66d0295b8317b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2540-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-5-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-24-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-8-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/3068-18-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads