Overview

overview

10

Static

static

10

fe25de503f...5a.exe

windows7-x64

10

fe25de503f...5a.exe

windows10-2004-x64

10

fe282eaa90...45.exe

windows7-x64

10

fe282eaa90...45.exe

windows10-2004-x64

10

fe402f76d3...4d.exe

windows7-x64

10

fe402f76d3...4d.exe

windows10-2004-x64

10

fe55574c53...c0.exe

windows7-x64

1

fe55574c53...c0.exe

windows10-2004-x64

5

fe8a65a43d...3f.exe

windows7-x64

7

fe8a65a43d...3f.exe

windows10-2004-x64

7

fe99ddfdfc...6c.exe

windows7-x64

10

fe99ddfdfc...6c.exe

windows10-2004-x64

10

feb2c82a66...50.exe

windows7-x64

10

feb2c82a66...50.exe

windows10-2004-x64

10

fef2b831e5...91.exe

windows7-x64

8

fef2b831e5...91.exe

windows10-2004-x64

8

ff03c0c01a...cd.exe

windows7-x64

7

ff03c0c01a...cd.exe

windows10-2004-x64

10

ff1699c2d9...5a.exe

windows7-x64

10

ff1699c2d9...5a.exe

windows10-2004-x64

10

ff573ccb26...dd.exe

windows7-x64

10

ff573ccb26...dd.exe

windows10-2004-x64

10

ff5eef1816...3f.exe

windows7-x64

10

ff5eef1816...3f.exe

windows10-2004-x64

10

ff9b69031d...c2.exe

windows7-x64

10

ff9b69031d...c2.exe

windows10-2004-x64

10

ffc0421dee...0b.exe

windows7-x64

10

ffc0421dee...0b.exe

windows10-2004-x64

7

ffc45f2c58...73.exe

windows7-x64

10

ffc45f2c58...73.exe

windows10-2004-x64

10

fffa7ee6ec...91.exe

windows7-x64

10

fffa7ee6ec...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff573ccb268f734e737c764bc60f0ddd.exe

  • Size

    78KB

  • MD5

    ff573ccb268f734e737c764bc60f0ddd

  • SHA1

    f6307bb87f39aff19b50aa309ad56ea22eb69f65

  • SHA256

    42e0a790c9bbab15940b9e180973a701e2cc10b1bbfe1e2bd7cb2fca96033fed

  • SHA512

    cc143a391b8793609d22fba916ed5ee12719bfd169f31c43cffe926c7bed1c10da17ed7e98ef4cce4709f1000f2b77b558cac1d33be5d72e4e229b688cbf99d9

  • SSDEEP

    1536:SRWV586dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6p9/I16D:SRWV581n7N041Qqhgx9/5

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff573ccb268f734e737c764bc60f0ddd.exe
    "C:\Users\Admin\AppData\Local\Temp\ff573ccb268f734e737c764bc60f0ddd.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tdwu9usz.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CB2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88E69CA06A5A4AC5B5735581B916E54A.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2016
    • C:\Users\Admin\AppData\Local\Temp\tmp7B6A.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7B6A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ff573ccb268f734e737c764bc60f0ddd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES7CB2.tmp
    Filesize

    1KB

    MD5

    6344302af78ce2efe4b56603bfdaf4ae

    SHA1

    091cabd31a9af459154f68b67e23d9020bc53d27

    SHA256

    63d5de6646cd553ac0dd7a3814d92a337857990ecbac334dce27582d1bf1c56a

    SHA512

    756cbe4527f47330a6305345ef8b202c9fb3fef06ccd13adbfde5074e85dd72ed4ccb1a7e6850f787ee848da884c299fc0f05de0a9578d295c0115fb1073ef7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tdwu9usz.0.vb
    Filesize

    14KB

    MD5

    bff7525ce76b0370905b65efc0bff95a

    SHA1

    a1a96a6a32e2221a6590fc622656e0827c368bed

    SHA256

    a42bcabab52fa867cbbfb1d2cffd6b14ac87f3728c490450bfa8b268bdb0bd13

    SHA512

    9c5dffb72049833402edef63d1df80b47a61be689620de499b5202eddc889163e1af0a983e11e531b7ae4d04946ed5b39979816fd58671f29ce4d87696e0d896

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tdwu9usz.cmdline
    Filesize

    266B

    MD5

    9c3c49da9343e87e3ccb1ab654efbe89

    SHA1

    96dcf570fe17c8dea3b4bc45926bbbb23edceb03

    SHA256

    51f5902cdad143a00abcb32d15d9cb659d64297534240414d38a7df9f62d58cc

    SHA512

    fc7ef7aaa2934554fc2c153831f8fb0184eec9ca219bed65f037c7b3435df22cf5e06d1d9f490e8acff93db86c51510fa5b998f2daa423d9b39824967938456a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7B6A.tmp.exe
    Filesize

    78KB

    MD5

    81ae56ca86e0fa67be21e7ecee2c6d41

    SHA1

    f12bc2fe3426bcc8b67890407102fe76cdc5f7f6

    SHA256

    5ee40732f08a3070073f74d1307232ab01e84b241ceb3b3acb5ed61ced56e4b8

    SHA512

    6dfc604b61e9bcf27391f9f4039ea9f8cc0702ce2157bf5f0445d8b67f6fbd37079c076276b5153ac51eac513ec892524e8b0ffb3801e0d1debff3d5619de8ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc88E69CA06A5A4AC5B5735581B916E54A.TMP
    Filesize

    660B

    MD5

    335e8df0f6dd2124ed08986676973f8a

    SHA1

    ee04927a7ac6487004230aef97d01ccad116c51f

    SHA256

    7c95879192dfe331260c86c3274a62b8e4f284b615413007ea4e47839c4ce035

    SHA512

    52f1b65aa6858be13d6a0cc0ec0c97b5006dcff999e1113a215c6d9373e77cdfa4e837b871341fbd1afd11290725d96de3173f512a2a86cf3047730194324b3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/1144-23-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1144-24-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1144-26-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1144-27-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1144-28-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3124-8-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3124-18-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3932-2-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3932-1-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3932-0-0x00000000747B2000-0x00000000747B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3932-22-0x00000000747B0000-0x0000000074D61000-memory.dmp

    Filesize

    5.7MB

    Download