metamorpherrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
1s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4502536cf49aa03ba4a7b695d7eaef2e.exe
Size

78KB
MD5

4502536cf49aa03ba4a7b695d7eaef2e
SHA1

5496f9936d988aef528f785ae7c3d3d4a1cd3e25
SHA256

7057a204b5f0886da9c758a11bc7587df6cd50cf6b1f47587d05aef2f3411027
SHA512

31be44ed80cb071345024ccafc841db6df4bdf8e0e1e3c9f041740d7209164bd7c6cd7325c0eab0bd812159fb8989da445e9ceaed43cadea5809b6205f60a784
SSDEEP

1536:HRWtHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtR79/cd1Up:HRWtHFq3Ln7N041QqhgR79/F

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	4502536cf49aa03ba4a7b695d7eaef2e.exe

Executes dropped EXE 1 IoCs

pid	Process
5092	tmp805B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp805B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4502536cf49aa03ba4a7b695d7eaef2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	4502536cf49aa03ba4a7b695d7eaef2e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2600	1064	4502536cf49aa03ba4a7b695d7eaef2e.exe	88
PID 1064 wrote to memory of 2600	1064	4502536cf49aa03ba4a7b695d7eaef2e.exe	88
PID 1064 wrote to memory of 2600	1064	4502536cf49aa03ba4a7b695d7eaef2e.exe	88
PID 2600 wrote to memory of 4160	2600	vbc.exe	90
PID 2600 wrote to memory of 4160	2600	vbc.exe	90
PID 2600 wrote to memory of 4160	2600	vbc.exe	90
PID 1064 wrote to memory of 5092	1064	4502536cf49aa03ba4a7b695d7eaef2e.exe	91
PID 1064 wrote to memory of 5092	1064	4502536cf49aa03ba4a7b695d7eaef2e.exe	91
PID 1064 wrote to memory of 5092	1064	4502536cf49aa03ba4a7b695d7eaef2e.exe	91

C:\Users\Admin\AppData\Local\Temp\4502536cf49aa03ba4a7b695d7eaef2e.exe
"C:\Users\Admin\AppData\Local\Temp\4502536cf49aa03ba4a7b695d7eaef2e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cgvxyjpy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8165.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD58A425BEFF542798E5A4DDD31D41C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
- C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4502536cf49aa03ba4a7b695d7eaef2e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8165.tmp

Filesize
1KB

MD5
ad1f122d497a507802bbe15b61d90213

SHA1
135306935b8fcabada3ca8368212ae75a15d51e3

SHA256
5c3f002d44c9bcce94529539051c309b6f45d1472f94bd14935ab10e2957de10

SHA512
921e19e3765d0e52d5659dbb1a62c981df1e1b9fba87320439370974d166ed45d592e924454743a443fa78719da1518b53cafd8e1fc3535810e9cc47a022ad0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgvxyjpy.0.vb

Filesize
15KB

MD5
97532cea8b1b785b31228191995d5a6b

SHA1
81529174dda80c43671f928f188b853b6bb2b08f

SHA256
c041ef0dabd694736def340e5dc97df11e03611b755fe287614553868bf471bc

SHA512
6d3795575d9afc22385615bec2995c414d5c8af5185131148ead1875d4808d85356607a6fdbed60f06f3dfe215893bf419b330c6cd75f668e33171f9cfc4f053

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgvxyjpy.cmdline

Filesize
266B

MD5
79b3e77c000ff5202fa60d43fa472644

SHA1
70f6e2a146c3ecea3ed6896d624c497488cb363d

SHA256
9460bc4c98ea5c31d9d461d94d94d671f905a976550f88d3cf2b6bce62a30a95

SHA512
ba5a9d578c716223d10bb466b459ca708d5d2a89498b44a6610218d8b2d2efcc1c330f3698414c1f6a92aac7dc46081e08e9fef37987b5f37af9b96b186e1696

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe

Filesize
78KB

MD5
ff230c7eb0ebca790ea632c52dc8e578

SHA1
a839d81e2268f229d4ebdf67e815f3c0d7c8a1cd

SHA256
b254a308de9852729b12cba5e496c3ab6efdb4cceee1b0fe6eb4a72f71129137

SHA512
4159be204e7967f335d4206182f228b092b6b4eecaa22277e46d75c7a17972f65579b8e84153994c0868da0b5df36211ca3b8fb0c9a6ee25501362d3872a687c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD58A425BEFF542798E5A4DDD31D41C.TMP

Filesize
660B

MD5
8b4f6e3c5ec87cd97cc24f022242f950

SHA1
4c062b85cbd269fe482f1249ff09d8bdf39a2f39

SHA256
fab93703b93f687b598cca0e4c1cfa305d5d5ae12c60cc948e95936c66f575a7

SHA512
c0ece332135c75ffb0128a6d7f53effb3edc45802c0e8bcf0106d7f109bbfb1ed74c28c511023ab982cbf2e8225083e43245d9c66fa80170e9c86a560a52b0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1064-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/1064-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/1064-0-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

Filesize
4KB

Download
memory/1064-22-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2600-8-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/2600-18-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5092-23-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5092-24-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5092-25-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5092-27-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5092-28-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/5092-29-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download