metamorpherrat | 7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ca3e4676bac76c4f7eaf0ab169b8af1.exe
Size

78KB
MD5

3ca3e4676bac76c4f7eaf0ab169b8af1
SHA1

3873da68bc51d374243468d08e73058674ea0a02
SHA256

572c49454d971b5cebc708b888e42970a4f954d97cdd8cd237a5ce4b281c60a7
SHA512

2f34a5d1affdada1686408f5f6ac748fd688215a2a12acf897f06af177ad103dbae344102b271b572a5e51ec11b68d97b7d2fa184244ce67d5ea8430f85f1e4e
SSDEEP

1536:bCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN9/t1+S:bCHFq3Ln7N041QqhgN9/Z

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	3ca3e4676bac76c4f7eaf0ab169b8af1.exe

Deletes itself 1 IoCs

pid	Process
5232	tmp49DA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5232	tmp49DA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp49DA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ca3e4676bac76c4f7eaf0ab169b8af1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp49DA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5244	3ca3e4676bac76c4f7eaf0ab169b8af1.exe
Token: SeDebugPrivilege	5232	tmp49DA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5244 wrote to memory of 5060	5244	3ca3e4676bac76c4f7eaf0ab169b8af1.exe	87
PID 5244 wrote to memory of 5060	5244	3ca3e4676bac76c4f7eaf0ab169b8af1.exe	87
PID 5244 wrote to memory of 5060	5244	3ca3e4676bac76c4f7eaf0ab169b8af1.exe	87
PID 5060 wrote to memory of 5220	5060	vbc.exe	89
PID 5060 wrote to memory of 5220	5060	vbc.exe	89
PID 5060 wrote to memory of 5220	5060	vbc.exe	89
PID 5244 wrote to memory of 5232	5244	3ca3e4676bac76c4f7eaf0ab169b8af1.exe	90
PID 5244 wrote to memory of 5232	5244	3ca3e4676bac76c4f7eaf0ab169b8af1.exe	90
PID 5244 wrote to memory of 5232	5244	3ca3e4676bac76c4f7eaf0ab169b8af1.exe	90

C:\Users\Admin\AppData\Local\Temp\3ca3e4676bac76c4f7eaf0ab169b8af1.exe
"C:\Users\Admin\AppData\Local\Temp\3ca3e4676bac76c4f7eaf0ab169b8af1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5244
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ju0595n8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57444B7A62E74ABABD71616A96A122D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5220
- C:\Users\Admin\AppData\Local\Temp\tmp49DA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp49DA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ca3e4676bac76c4f7eaf0ab169b8af1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4BAF.tmp

Filesize
1KB

MD5
aee7284858f96d439c9128392aa40078

SHA1
96775298db4a82fac89396694feb3325c0ae9c32

SHA256
56775c560ffec91daec8af097072b743f974e9ca2b5b0c0ca8e0c03f4475ec38

SHA512
5de7068db866536c598df4e20ab688dd6ef52182563a183d558555fc41b287edbd5db03d704e71a5c5a5ca87c7917bfa7876ea33cddf06bfb91e070f070c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ju0595n8.0.vb

Filesize
15KB

MD5
e3fb4d88713cfa0504d8305dd95dba00

SHA1
d3c546d5f7dd00db5c695f07aff3b2d80e4bb72b

SHA256
738aa4b78654af84b7c13e73f2447212caaae895ba0f89e0ebd62bced289f011

SHA512
f41a7cbe1cccca876af97307e3286c6c3281293856d21e63e5e1e33c9786554e4db20f12aeb8696ceb3305361c28814a5d959c7abf2cffc630056e626406b842

Download Submit
C:\Users\Admin\AppData\Local\Temp\ju0595n8.cmdline

Filesize
266B

MD5
1df67d50ad44e89970b416da9e4ed063

SHA1
e0304126fc6a920c0b6f09f322a5041a52e842db

SHA256
d1e9509495951790f37af521f264c57672e0aa095cfb75ae5864ef2bfddf72ea

SHA512
c383112d7aae48026d8619e04fca0826e1c274e23f35f5010ad4eb3759f3f12fd0b67ac9436d4fb2e9d54edf3d5cea1b52e55f7fc56e7a28c2ddea71066890c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp49DA.tmp.exe

Filesize
78KB

MD5
1116590de90b811b247c0c11105d4f7d

SHA1
60d53e1f02b4ceeb8d3f361e02e0c428feca936a

SHA256
df6fa18cd358a9f2adf513c641bb353d1d9614c4c0519bc82f31f166a3c941c1

SHA512
d52ac85e94da0de37c22d0e375b1964550a2959469facd9d5d01f92e7c733a09de6ded50f27bd63300d0dad61daac0e0c2c39b424600d04a99f7c7378eb33699

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57444B7A62E74ABABD71616A96A122D.TMP

Filesize
660B

MD5
4835d6dad2f3b5a78652c4412decb225

SHA1
d22a7223701be33dc08449f4870cee9404fe141b

SHA256
29eac352dfa74178d32b1ac2a88ec65bf1c97204857ae342b04fa52bbd94d6df

SHA512
932e29d049ea6a3ffd90e888c1a3d9382cbd936fc3d08051cc50200a414ff50950e018383bf7c711a385c5f4bf101a241c1824dc76a72f8fcd2afca2784943fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/5060-8-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5060-18-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5232-23-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5232-24-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5232-25-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5232-27-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5232-28-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5232-29-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5244-0-0x0000000075422000-0x0000000075423000-memory.dmp

Filesize
4KB

Download
memory/5244-2-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5244-1-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/5244-22-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads