metamorpherrat | 545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
142s
max time network
155s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68fef6943ee096474fd5049bb302656c.exe
Size

78KB
MD5

68fef6943ee096474fd5049bb302656c
SHA1

e5386c8142bad5a4a2fc0827933146ee69109ae7
SHA256

38171fdcb5e1043b82d2bf03801d06b4120917677bd64465968ab537b2b4e42e
SHA512

444228af46e018aa37470b3fb1c1dd77518cd61e43d99f188c922d1686bd569e9231745c17ade2ed3097dc8dd3629a346dbed43c2f9c956cef713fe7af830094
SSDEEP

1536:ly5jS6dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN659/L1ur:ly5jS1n7N041Qqhga9/i

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2812	tmpD845.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2436	68fef6943ee096474fd5049bb302656c.exe
2436	68fef6943ee096474fd5049bb302656c.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD845.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68fef6943ee096474fd5049bb302656c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD845.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	68fef6943ee096474fd5049bb302656c.exe
Token: SeDebugPrivilege	2812	tmpD845.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2544	2436	68fef6943ee096474fd5049bb302656c.exe	31
PID 2436 wrote to memory of 2544	2436	68fef6943ee096474fd5049bb302656c.exe	31
PID 2436 wrote to memory of 2544	2436	68fef6943ee096474fd5049bb302656c.exe	31
PID 2436 wrote to memory of 2544	2436	68fef6943ee096474fd5049bb302656c.exe	31
PID 2544 wrote to memory of 2564	2544	vbc.exe	33
PID 2544 wrote to memory of 2564	2544	vbc.exe	33
PID 2544 wrote to memory of 2564	2544	vbc.exe	33
PID 2544 wrote to memory of 2564	2544	vbc.exe	33
PID 2436 wrote to memory of 2812	2436	68fef6943ee096474fd5049bb302656c.exe	34
PID 2436 wrote to memory of 2812	2436	68fef6943ee096474fd5049bb302656c.exe	34
PID 2436 wrote to memory of 2812	2436	68fef6943ee096474fd5049bb302656c.exe	34
PID 2436 wrote to memory of 2812	2436	68fef6943ee096474fd5049bb302656c.exe	34

C:\Users\Admin\AppData\Local\Temp\68fef6943ee096474fd5049bb302656c.exe
"C:\Users\Admin\AppData\Local\Temp\68fef6943ee096474fd5049bb302656c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hlrbzq65.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD99E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD99D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\tmpD845.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD845.tmp.exe" C:\Users\Admin\AppData\Local\Temp\68fef6943ee096474fd5049bb302656c.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD99E.tmp

Filesize
1KB

MD5
2b81cab5fc178b98b0a4ac8564b2417e

SHA1
71aeeb066f06c9d6a1c4808c16a759e2166a3e47

SHA256
39fed092cb6b6bdbcd0e5f9024bcd2aee56fbe28c986d19b99f0177383eeceb4

SHA512
70f0e19f6dcbc4e391b34ad16bcb576d2957995ddbe1de53e4ed0605d8465ad69b4a79c1a68feb0908999616be2b33afe473999db666b2297e24fc60456f6f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlrbzq65.0.vb

Filesize
14KB

MD5
5f3fad7a6bcf77f84e9be4ab7c62955d

SHA1
1429648bd6149ddf20ecbaaa60f2fb07b7a15ba5

SHA256
e9a42fa169e201712cc12dd2dad597f3de9604de6c706cc90a680e8aa2b15ccf

SHA512
c9806164e06ecf8c36d03492998e8743398b1ff8adf4461646b350e9e472c2a5b729a6f85221a123787225f2c3180cc12e76b67ac7cbc3e6f356616eca29e465

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlrbzq65.cmdline

Filesize
266B

MD5
ef4671ea2f0ca57322fc32a3fda0f94b

SHA1
a8674f90c0d26d9c1289e453b3db55627cf03283

SHA256
b2d9d8cc04aa8795a862a4278a1e0bad8e78b95d803494c03c3de777593ff8ca

SHA512
3ac615e5f63c0ca0d9440dd0d08b713c998a91266d73777cbe3c6beedb930dd258925da8638b33aab2ee073508b137bb4232f2c1ffd7fb0d59d4e0e37bc5283a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD845.tmp.exe

Filesize
78KB

MD5
b34db0c4b18219734115e47e8eae1ab7

SHA1
5b94d87eef4aff9e1da90b91a1d7c5c66c6b7b3f

SHA256
cd494bb115ff09cc4e5789e58d210512d1cab7ca2ba3c0eb8207dd4fd57bf2f3

SHA512
47d31d980ddc1d2e38ea8a5ea191542a51a3ae308f9a6546ab4468e2a8cac06ea6c99ac7d1c709eea5d003964e6052ce7c89f9c02c348822cba4c7b8a3608378

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD99D.tmp

Filesize
660B

MD5
490214149c7dcb0b26d73e7ebae76b6b

SHA1
a6c6acadb2ee37c8df69c437caf91bf2c5bd4d05

SHA256
5fef5565c69d5bae63defc015515cd13eb0dbbdc7a6bb61f7c51b6a315fc96dd

SHA512
6edec27af0d514abf15a271c7616c4e182d4f93e43b4e826a54f06d31fe2b298321d3d0a0de0b70c802b7ecc6ad23a67780805f240bf87c10a545deb7fa0ac31

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2436-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

Filesize
4KB

Download
memory/2436-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-2-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-24-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads