metamorpherrat | a23fdeddb683f716be744ef3fe9a8ce2c87b02f5e5c1f6c8bdb70881de528304

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd94462486ad6fad4ab587ad00762632.exe
Size

78KB
MD5

cd94462486ad6fad4ab587ad00762632
SHA1

600e27f9eaa5040e50513248a440af60040ac9db
SHA256

9868136efa35854a43f56eec9de8c32dff7745db42922395b828f592d56cea04
SHA512

5e1090a78794afcc56304197bec0e90069d02e57808e2f9ac26b0e4dec76b8b148e006ecd8374a0c91648b61a6cf3663b95cc3bc5a601c59ef48b0561487ffb6
SSDEEP

1536:Ay58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6h9/2iL1k6:Ay58An7N041Qqhgp9/2id

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2956	tmpFDB0.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	tmpFDB0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	cd94462486ad6fad4ab587ad00762632.exe
2136	cd94462486ad6fad4ab587ad00762632.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpFDB0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFDB0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd94462486ad6fad4ab587ad00762632.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	cd94462486ad6fad4ab587ad00762632.exe
Token: SeDebugPrivilege	2956	tmpFDB0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2820	2136	cd94462486ad6fad4ab587ad00762632.exe	31
PID 2136 wrote to memory of 2820	2136	cd94462486ad6fad4ab587ad00762632.exe	31
PID 2136 wrote to memory of 2820	2136	cd94462486ad6fad4ab587ad00762632.exe	31
PID 2136 wrote to memory of 2820	2136	cd94462486ad6fad4ab587ad00762632.exe	31
PID 2820 wrote to memory of 2156	2820	vbc.exe	33
PID 2820 wrote to memory of 2156	2820	vbc.exe	33
PID 2820 wrote to memory of 2156	2820	vbc.exe	33
PID 2820 wrote to memory of 2156	2820	vbc.exe	33
PID 2136 wrote to memory of 2956	2136	cd94462486ad6fad4ab587ad00762632.exe	34
PID 2136 wrote to memory of 2956	2136	cd94462486ad6fad4ab587ad00762632.exe	34
PID 2136 wrote to memory of 2956	2136	cd94462486ad6fad4ab587ad00762632.exe	34
PID 2136 wrote to memory of 2956	2136	cd94462486ad6fad4ab587ad00762632.exe	34

C:\Users\Admin\AppData\Local\Temp\cd94462486ad6fad4ab587ad00762632.exe
"C:\Users\Admin\AppData\Local\Temp\cd94462486ad6fad4ab587ad00762632.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ljnrpcah.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF07.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156
- C:\Users\Admin\AppData\Local\Temp\tmpFDB0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFDB0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cd94462486ad6fad4ab587ad00762632.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFF08.tmp

Filesize
1KB

MD5
ee66a045f7db8ab7e5dd3ffb565f937f

SHA1
6f6f8d5071f7da02f9900af5e67c50841da4f00c

SHA256
6c54ca0f782d3c71380d8a123d6164c057816237915f0b355240c8be5392aed0

SHA512
c955913888fedcdb5c57a6fd16f47c5ece0a647a42028140f4a011374141b5b85990d44b4042d6615ac17f1290c8e4e3179f6df9db5d5de908e470c1dbacb6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljnrpcah.0.vb

Filesize
14KB

MD5
94ae35f1f5e22ddceb3c300e2f0f61c3

SHA1
3eb1a7c0bfed24ef14f2bbd4111f67c2998675ff

SHA256
69de786a500eec5d4c7199cbfc43b85feda0851610f2cb87fd2e473eaa0e9412

SHA512
b3dd7273712b36301f77e130225c9466068446d0d490666acef703d01b29b29cf61e2d18af8b5f6dc3d8d49e07cde3834a800422df2c345e18ef234cdcd45a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljnrpcah.cmdline

Filesize
266B

MD5
eb0c8bf1f9c856d76fd10ff32be5e0f9

SHA1
f461691d9148b50f443b584a39824822b7640a5a

SHA256
00ccf791012edbdeb77ffa23d4bdf97033de34c30d7babce07edc781becb96c2

SHA512
ddf0d96d29008ed9ef4a0d8df3069871ea1177cf54cbc3de5a27a55916547d44654ce65051cde4fa50e8039679d6e0e121da5fbc07a215afbb5aeb5674191e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFDB0.tmp.exe

Filesize
78KB

MD5
acb29991d44fc42ed9554c2d05e61bf1

SHA1
4acf32e4b08483e99b9d3b633e6aaf03c47eed15

SHA256
b275aae3a216b2c0e66bd79fafcf8118ae64092b9121a1a23fc133c8fd26533a

SHA512
384b1a1920a49dd8be4b26bf5d7098b14eaf1bf1ebd72dbc5d907f490f1b72f2071b2688d303a57bd20568c46f2d0bf7076adaeeda9ecff09aaf0c431c443eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF07.tmp

Filesize
660B

MD5
09185e432f106d4c77ea1caa274a1797

SHA1
9bb4655d902e52d1c105d6fc0e67f46812134dca

SHA256
188dd550843c87099bbfc335ff1c45f16d097cb2fc53f4de8ac956f244802188

SHA512
0a4e59fc7beeafae75921a4b86feea6430c69c79fb9071621ef8e2d3c115175973d3f9c56e861b42b4374216db5f2a9703393e02e357cb6be6d3b05bedf4391f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2136-0-0x0000000074781000-0x0000000074782000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-2-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-23-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-8-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-18-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads