metamorpherrat | 545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68fef6943ee096474fd5049bb302656c.exe
Size

78KB
MD5

68fef6943ee096474fd5049bb302656c
SHA1

e5386c8142bad5a4a2fc0827933146ee69109ae7
SHA256

38171fdcb5e1043b82d2bf03801d06b4120917677bd64465968ab537b2b4e42e
SHA512

444228af46e018aa37470b3fb1c1dd77518cd61e43d99f188c922d1686bd569e9231745c17ade2ed3097dc8dd3629a346dbed43c2f9c956cef713fe7af830094
SSDEEP

1536:ly5jS6dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN659/L1ur:ly5jS1n7N041Qqhga9/i

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	68fef6943ee096474fd5049bb302656c.exe

Executes dropped EXE 1 IoCs

pid	Process
4544	tmp7791.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7791.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68fef6943ee096474fd5049bb302656c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7791.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	68fef6943ee096474fd5049bb302656c.exe
Token: SeDebugPrivilege	4544	tmp7791.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2400	2876	68fef6943ee096474fd5049bb302656c.exe	88
PID 2876 wrote to memory of 2400	2876	68fef6943ee096474fd5049bb302656c.exe	88
PID 2876 wrote to memory of 2400	2876	68fef6943ee096474fd5049bb302656c.exe	88
PID 2400 wrote to memory of 4444	2400	vbc.exe	90
PID 2400 wrote to memory of 4444	2400	vbc.exe	90
PID 2400 wrote to memory of 4444	2400	vbc.exe	90
PID 2876 wrote to memory of 4544	2876	68fef6943ee096474fd5049bb302656c.exe	91
PID 2876 wrote to memory of 4544	2876	68fef6943ee096474fd5049bb302656c.exe	91
PID 2876 wrote to memory of 4544	2876	68fef6943ee096474fd5049bb302656c.exe	91

C:\Users\Admin\AppData\Local\Temp\68fef6943ee096474fd5049bb302656c.exe
"C:\Users\Admin\AppData\Local\Temp\68fef6943ee096474fd5049bb302656c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wwz7hhg3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES788B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB5FB93EA2D240BD828B11F951471AE4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4444
- C:\Users\Admin\AppData\Local\Temp\tmp7791.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7791.tmp.exe" C:\Users\Admin\AppData\Local\Temp\68fef6943ee096474fd5049bb302656c.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES788B.tmp

Filesize
1KB

MD5
13c5fe54d8bc6804eef0b6c0a38a284a

SHA1
ac9d3f289c273e7dd851a7626f2e9cc0bdb0dd07

SHA256
7e5c6a3b8c7a4c96256bef68428483c3dde989b752a6c806b304489200799c0f

SHA512
a958fca9a2dbe5805576984c5e18ebdc5a1bb39b679d568c59337d0d854d050fa4ea55fa302df3d21dcc51cd9040df0f50fe0d7fb71ad10be7477d6f9ed8efd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7791.tmp.exe

Filesize
78KB

MD5
c4f8374c99a1fc816c8be01e53a3f66e

SHA1
cd4bd85b4d48686d111382b1937e3853e39fcd33

SHA256
983b6fece3af61415ce03446af14dd80c94524f0f79a3d7de62b644b3b1d36be

SHA512
261bfe424cde18e5a7c2b23a7f079d3f937ab6b10366eb90c0a5129aed88fdc3120526f391dcf9562c469ef334da16a5505547aae42e30850676a2362e99d01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB5FB93EA2D240BD828B11F951471AE4.TMP

Filesize
660B

MD5
7946df05a4aa9085476b0ce146ed68d0

SHA1
5551eb8ae86da7851f8f955d6ebe1a72f9153c76

SHA256
1f066276f6a848587d7bf9ae01038f64d94fd1baf04805a2230c15878e528f9f

SHA512
ec288cd72d9ca7e2251b2bcbfa863bf2b21948547cb37a4ba2845f44b5e5faebab12c50bd497f08e9b65756b249fefccf03f252cc772d3927226dc6024909f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwz7hhg3.0.vb

Filesize
14KB

MD5
e208543034b1ce76797712a75675ae51

SHA1
e4f7483d1b29e3ee6598c7c2d8ece37e22563389

SHA256
fc7f842a90d7624a24ca55dc3fbdc41c2d9abea4e554ccb514f7ddfe8a403249

SHA512
91ed7200e5c45aa151a92921f1976fdae44e85c9c92335d8d38b1ad69d5b9387e06d8e96e3c595f85345a3f79bde74b823bb0823be1c7b182bde2390c86ae8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwz7hhg3.cmdline

Filesize
266B

MD5
f12a2c7d61c3ea7e13814e67b0ee6178

SHA1
5c489e1ae386e241e3a5bf0907b52f9aea8de022

SHA256
2cb72462776431eed8b317e38071ecbb914011d5c2b7998e7b3cf8266a33c720

SHA512
049591e64436641194ab1fbf8b8831c51a416c21f50e79e6a53a8a69d38c81000f24f9f882cf7771f792a085c143f52948beefb5a19d69a0e944d7e13013181d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2400-9-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2400-18-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2876-2-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2876-0-0x0000000074F02000-0x0000000074F03000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2876-22-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-23-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-24-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-26-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-27-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-28-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads