metamorpherrat | 70bba6e748b04c937188f113389a3c90bf30806add70222b920886a57b0bdd98

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e02e413d59c118fb50dcbf2f8ef3cd.exe
Size

78KB
MD5

12e02e413d59c118fb50dcbf2f8ef3cd
SHA1

8bacab7d1e97c72ea77a88505846f23c9ea5521a
SHA256

3550e8bf4400c2c8580dcb7776a133cee3ce9bce09022fdd27daf9f23fb25ea5
SHA512

0e58cd7c7af4f4f3930148958a19420f028f46de9975e40e1714db500ff0ef1f029018cc989eac7f2b1e1f3a068ea8c8686e316a30979b2a4ab721c314839154
SSDEEP

1536:oPWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtm9/ZE1vK:oPWtHa3Ln7N041Qqhgm9/Z/

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2956	tmpAF43.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe
2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpAF43.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAF43.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12e02e413d59c118fb50dcbf2f8ef3cd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe
Token: SeDebugPrivilege	2956	tmpAF43.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2160	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe	30
PID 2592 wrote to memory of 2160	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe	30
PID 2592 wrote to memory of 2160	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe	30
PID 2592 wrote to memory of 2160	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe	30
PID 2160 wrote to memory of 2512	2160	vbc.exe	32
PID 2160 wrote to memory of 2512	2160	vbc.exe	32
PID 2160 wrote to memory of 2512	2160	vbc.exe	32
PID 2160 wrote to memory of 2512	2160	vbc.exe	32
PID 2592 wrote to memory of 2956	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe	33
PID 2592 wrote to memory of 2956	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe	33
PID 2592 wrote to memory of 2956	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe	33
PID 2592 wrote to memory of 2956	2592	12e02e413d59c118fb50dcbf2f8ef3cd.exe	33

C:\Users\Admin\AppData\Local\Temp\12e02e413d59c118fb50dcbf2f8ef3cd.exe
"C:\Users\Admin\AppData\Local\Temp\12e02e413d59c118fb50dcbf2f8ef3cd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1rwp8utw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB01E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB00D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.exe" C:\Users\Admin\AppData\Local\Temp\12e02e413d59c118fb50dcbf2f8ef3cd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1rwp8utw.0.vb

Filesize
15KB

MD5
8856812162cf1b2d1d8b1d38e6ff9992

SHA1
2c2aa6fc3ae4af44bee57b417c28c4957788cd28

SHA256
8fa5447f2eb64daf350c38f8f805a863da7fa337dea0f901c59bc0680f34dbf7

SHA512
2d5fae676e09a13ab58f5f76d0493f5161a4785ced22688717416eb6f19a54ea18527ac59f6cb6e5bb1f7bd1d2dec588ffa7dc54bee550ed33e2cb5c5aabd52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rwp8utw.cmdline

Filesize
266B

MD5
5754cbb5735980a2aa5ac23eabb7db7c

SHA1
24750bb7a0b71c0d2c8f2e16872a536ea4888471

SHA256
32e7d2f3eb3d808cd993d1d60ba0ef90c60b356bd5590d7946bd5ee13d26f489

SHA512
d7caf1e59d61be6a0b7adb43992e76031d6fbc75d35807a47c9175a6e47c9eeaf43d25ec4439ac2f70fccb0c0977597935239b8413294fbfa48e19a305d55b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB01E.tmp

Filesize
1KB

MD5
66c2a4c34d8bcbb50aafb0fa61e023f3

SHA1
c1369db617d01e24a6ac121d9cfb5e4c31773b74

SHA256
9768495d11b9eb5accdfecbbcab9a6e0c5665f80875b273588292a2019467a9a

SHA512
9b1b6a0da3727b31dc4e1cb2d88574e6a0f7a15489d81d68af43240415974914347c184b5202885d0ade4e5844103a1fcd985a9cd341e43a7dd835fe65750837

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.exe

Filesize
78KB

MD5
684305b2cad89df36b6cee563f6f1f0b

SHA1
03cc0e049bd32f0bc6e852789705c639950f8093

SHA256
789802920a5174579742cb922ad9424730e4ef2d7ea52c0bfee70aa8a89197db

SHA512
f0e2e7d742d066544bc052cd4ad7fcbcece330ac87b6de1f056939630c3bb88cfc99f0f8af9980604a5c998ae7ce3c452d33b9cb9b0f88be975a253ddf2a7fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB00D.tmp

Filesize
660B

MD5
1a86ab9e3b12382d446a47f6f8a53d27

SHA1
e3a67eb03859961f936e231f332e61af5331350f

SHA256
e6b7c8263eec6981e61034fc668e1e61c3635d741c2068884032413ec28971c3

SHA512
13bbd38b292c45577a5f0f93d350b512cd6a4a6460edffa370335b6e984e83de608b3a8e7e9fc906256cc76f0edf4aa77471108769c99784c9281356b9f420ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2160-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

Filesize
4KB

Download
memory/2592-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-2-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-24-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads