metamorpherrat | a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdad1ff46d46963cc687d5f6889c9ef2.exe
Size

78KB
MD5

bdad1ff46d46963cc687d5f6889c9ef2
SHA1

16329a972f772675d1c55304ed703fcf8649c720
SHA256

9f935f8e74743d350a12fa3f517b6ef5e57c54d850e83592e7da680aa95f37d0
SHA512

12b4d7d257aa55abdfdd213e3f105cad45207973b40d653cd29d6c20e58b3f867883422eeb0176f8f5fbea1b088df64ab5e28a32efab2133d4612140ab93f5fe
SSDEEP

1536:tCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRF9//166:tCHFo53Ln7N041QqhgRF9/P

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	bdad1ff46d46963cc687d5f6889c9ef2.exe

Deletes itself 1 IoCs

pid	Process
4596	tmp545A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4596	tmp545A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp545A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdad1ff46d46963cc687d5f6889c9ef2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp545A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5888	bdad1ff46d46963cc687d5f6889c9ef2.exe
Token: SeDebugPrivilege	4596	tmp545A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5888 wrote to memory of 4348	5888	bdad1ff46d46963cc687d5f6889c9ef2.exe	87
PID 5888 wrote to memory of 4348	5888	bdad1ff46d46963cc687d5f6889c9ef2.exe	87
PID 5888 wrote to memory of 4348	5888	bdad1ff46d46963cc687d5f6889c9ef2.exe	87
PID 4348 wrote to memory of 1924	4348	vbc.exe	89
PID 4348 wrote to memory of 1924	4348	vbc.exe	89
PID 4348 wrote to memory of 1924	4348	vbc.exe	89
PID 5888 wrote to memory of 4596	5888	bdad1ff46d46963cc687d5f6889c9ef2.exe	90
PID 5888 wrote to memory of 4596	5888	bdad1ff46d46963cc687d5f6889c9ef2.exe	90
PID 5888 wrote to memory of 4596	5888	bdad1ff46d46963cc687d5f6889c9ef2.exe	90

C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe
"C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q7bp69yh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5525.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc781B858CC7834E128FB8D75EA9C8D72B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1924
- C:\Users\Admin\AppData\Local\Temp\tmp545A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp545A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdad1ff46d46963cc687d5f6889c9ef2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5525.tmp

Filesize
1KB

MD5
90a133b57bd81d2a68e01627d298e948

SHA1
6c57861ee6c7b9440942c86e9b9ccdd567288f80

SHA256
830859ef27dbffa964c3e00beb0f66dd3ccb7ee1c97f8fab4f22f02f6a487abf

SHA512
8167be9696f46a01ce3316739e7eed241587779160e17259ba5bc0de4f4608f39e2737145dd6b17f913eeda6d09bcaa53f29454c5213b87bea49d54bc4f1d1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7bp69yh.0.vb

Filesize
15KB

MD5
10df581b0e1022441699f533af1ce744

SHA1
dcd569321eddbfefa2ce4f55ed4b7bf4f5fee73f

SHA256
d1e749f79fbd62ac222037dbb7ac3f5e46e8759cfae3fdd92b119b9e658b45bc

SHA512
1ffdb5ead5337ff9cb037c4889a871d8dc7bdc6615b4f66cc0c5a9c0b9e38367ea64c69c7ee290deac84b9a71bf6374d50c6a301b6de2fabf6dbdf553ffb6082

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7bp69yh.cmdline

Filesize
266B

MD5
8f3266cc8bc73a36f426b3e8dda7f232

SHA1
45477b4e1c39797f42d2c5db286e22c10f632e84

SHA256
03082d1764b9a4dc02757d4c00012cc2fefc9abf1cb61aad7fdd69a04a9ff520

SHA512
5105d554c1ce331de7fa25d486faabf1ea9ca741d8bd7e9cd9f53458a12d0023baddec2d3945e234ef032c9ceae2649dd713994bb11329411ff0b694601c7ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp545A.tmp.exe

Filesize
78KB

MD5
93b70f803feec4f3258a42971b8d8343

SHA1
3926290518ababbbc25ba4393bbe543c18694b6e

SHA256
a793364c65938bcff39b36fd9522011d33b57cffaeed722f8da964bbf6c1d0b3

SHA512
e54171799f1983e7fce463d64ed8d87f900a2977fd9f7c6714321b990ce031d178a73ff562cea46b909b2561e85fb70f3eff3194675f2e1930e03dc8ee8fca2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc781B858CC7834E128FB8D75EA9C8D72B.TMP

Filesize
660B

MD5
dd453a31ac5bd05c207304413bc3c05e

SHA1
370dc8f50038e686b18e010a01e42e6f0322bcf5

SHA256
b2f5e7c53af40339e7e2a7fffb887c5634ddec2c42c658527303b1f55650c724

SHA512
86b43164e2f68ad5b4d67c0d079921890ebf6e4b132f59491f628d43378c49a7558025d5004aa3f07e0dcdb3775d5a7bef1e91566c1f8fb1ce2b73d8ff041e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/4348-9-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4348-18-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-23-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-24-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-26-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-27-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-28-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/5888-0-0x0000000074912000-0x0000000074913000-memory.dmp

Filesize
4KB

Download
memory/5888-2-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/5888-1-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/5888-22-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads