Overview

overview

10

Static

static

10

cb45bfa4b2...32.exe

windows7-x64

7

cb45bfa4b2...32.exe

windows10-2004-x64

7

cb48b9ffc8...ab.exe

windows7-x64

10

cb48b9ffc8...ab.exe

windows10-2004-x64

10

cb642e19ad...e6.exe

windows7-x64

7

cb642e19ad...e6.exe

windows10-2004-x64

7

cb64f92875...a6.exe

windows7-x64

7

cb64f92875...a6.exe

windows10-2004-x64

7

cb81b6d0e8...88.exe

windows7-x64

10

cb81b6d0e8...88.exe

windows10-2004-x64

10

cbaee22513...a5.exe

windows7-x64

10

cbaee22513...a5.exe

windows10-2004-x64

10

cbbf316076...27.exe

windows7-x64

1

cbbf316076...27.exe

windows10-2004-x64

1

cbc319d807...7c.exe

windows7-x64

10

cbc319d807...7c.exe

windows10-2004-x64

10

cbe09d8033...e7.exe

windows7-x64

10

cbe09d8033...e7.exe

windows10-2004-x64

10

cbf8cf5e7e...d1.exe

windows7-x64

10

cbf8cf5e7e...d1.exe

windows10-2004-x64

10

cbf9083762...57.exe

windows7-x64

10

cbf9083762...57.exe

windows10-2004-x64

10

cc027f345e...df.exe

windows7-x64

10

cc027f345e...df.exe

windows10-2004-x64

10

cc22848f9c...20.exe

windows7-x64

10

cc22848f9c...20.exe

windows10-2004-x64

10

cc25555aa2...ec.exe

windows7-x64

10

cc25555aa2...ec.exe

windows10-2004-x64

10

cc52f061bf...a0.exe

windows7-x64

6

cc52f061bf...a0.exe

windows10-2004-x64

6

cc609db84e...1e.exe

windows7-x64

7

cc609db84e...1e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbc319d8078c6c134b5cc6d67a9d587c.exe

  • Size

    78KB

  • MD5

    cbc319d8078c6c134b5cc6d67a9d587c

  • SHA1

    b5e270722fa7c5bbdd68c0e3f4f2420b6ff23740

  • SHA256

    087d6ff0e85c4c64aea33a0951a565a5815c9b0c04b24ab2ebc65fa704b140fe

  • SHA512

    e34c31e6896b35913f3018274ad54a2d8f316a656a2abcc8e34849d8070490debeaca1faf651931da5c4c3505296ed1fe2520b423197440c6ccb3fbb1dd2fe1d

  • SSDEEP

    1536:rCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt/9/d12H:rCHFo53Ln7N041Qqhg/9/g

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbc319d8078c6c134b5cc6d67a9d587c.exe
    "C:\Users\Admin\AppData\Local\Temp\cbc319d8078c6c134b5cc6d67a9d587c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1dhhyrfr.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5324
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7474.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A06E4C4CF6E447E8374A5C7FCA9EA6.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5612
    • C:\Users\Admin\AppData\Local\Temp\tmp734B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp734B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cbc319d8078c6c134b5cc6d67a9d587c.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1dhhyrfr.0.vb
    Filesize

    15KB

    MD5

    4663a0a47b6687d56a93c79eebfecd50

    SHA1

    90b68cc1116ac27563f0a589030928fd68ee6b58

    SHA256

    e025c57870847d62db8ae8f46a9ca673210b7e0171079499a1baf7f81bdb2925

    SHA512

    d88acf4682b8b302f4a663668d67d41e029c309de0cfa168710cb6664966bd72f8cdbc1b0b0ff7cd2e39858151b555f0befb6fe75a64a5c7be80e43305461305

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1dhhyrfr.cmdline
    Filesize

    266B

    MD5

    4fc36ce1f2ec619f4dbfccfcdf3308a4

    SHA1

    c38ae6359f0dfe0ddeff1aea83812cbb2b205595

    SHA256

    359ecad7d278c1885e80ccc9e25b9a94c1cac6dad4391fcbcd4c52d1a29ed40a

    SHA512

    1fc09296d38f4f920c338bb4562bfd78b95c652159f0a58ae075aae832cc017b24489f66b6f8ac9cfdd160ba50d4ad89a33d0fdbd454fe873a17720862994e46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RES7474.tmp
    Filesize

    1KB

    MD5

    0fbf291e76959290eee5053c30f236c4

    SHA1

    10e73b32826258af10a478ab0ffc3fdbc5507952

    SHA256

    0a07e12352fa76652ee24e6672e24676cadd5a9e85339ca014d9c3c712610dab

    SHA512

    f985988de7d50eba81842ce725db2ee74c0c28a203495d534555d12a2e9e77a2d23e3e62f5bbff9ac9fd0cf231ce2fc2cb6662e932f9fda2ffc55347e3e6aa6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp734B.tmp.exe
    Filesize

    78KB

    MD5

    cd9e4f8764710fae25977e04b627d0e6

    SHA1

    6081dfd8c9447d35ee9b8834c7e5f6e17eb8a8e7

    SHA256

    7083b4ba7d959884912a69640cadc04a6680e73b9c3b945abebe98bee7f386f4

    SHA512

    e1a4b442a6323a65f078871320496e028c2c852a03580f10a903400a68690cc8926c8614c2285d9c34abe0f419e4be69f13a0f5899beb2f5b7fff3082f8f1bf8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc4A06E4C4CF6E447E8374A5C7FCA9EA6.TMP
    Filesize

    660B

    MD5

    ec8682c6f642d2cc623019acb4aa8480

    SHA1

    d1a6bbee5052221e36c81efe7222cb87139708b6

    SHA256

    915a228ea99c04d25053263b1c9e766889bf5a34d5bf766dcbd0eebee19145e3

    SHA512

    cbd6b789ee6ee92c1f2a21374afc71b488383584b8943b60f112a15f03116778997d0c227986c2f682a54d3d47b1040a2d020ba3aab2fe1a51ba48eb54dbc97b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/552-22-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/552-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/552-0-0x00000000748C2000-0x00000000748C3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/552-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3500-23-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3500-25-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3500-24-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3500-27-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3500-28-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3500-29-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5324-18-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5324-9-0x00000000748C0000-0x0000000074E71000-memory.dmp

    Filesize

    5.7MB

    Download