metamorpherrat | 400c24bdb9b7dabfcd9a8a2f137550f338014d833d169c6e6f4252910fb95feb

Analysis

max time kernel
141s
max time network
154s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a34ed8c9896cc074e235b2c4116871d1.exe
Size

78KB
MD5

a34ed8c9896cc074e235b2c4116871d1
SHA1

48fe165883c1de2bedfc07518ac2115b1a2c991e
SHA256

02a52e9110db06f80b86eaa21c0de7cbfbc484c97986634bd8ba74854d839a52
SHA512

375b6da19078fb908ba6ce6d8d11b36d360bf7f6daba622a068c21a18eb3714244086958a8d7cef4f905848b5a360d940b87f2c2a54ec582b294603c8f2d323c
SSDEEP

1536:lPy58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC679/G1dS:lPy58An7N041Qqhgz9/X

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2172	tmpCE85.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	a34ed8c9896cc074e235b2c4116871d1.exe
2016	a34ed8c9896cc074e235b2c4116871d1.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpCE85.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a34ed8c9896cc074e235b2c4116871d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCE85.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	a34ed8c9896cc074e235b2c4116871d1.exe
Token: SeDebugPrivilege	2172	tmpCE85.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1988	2016	a34ed8c9896cc074e235b2c4116871d1.exe	30
PID 2016 wrote to memory of 1988	2016	a34ed8c9896cc074e235b2c4116871d1.exe	30
PID 2016 wrote to memory of 1988	2016	a34ed8c9896cc074e235b2c4116871d1.exe	30
PID 2016 wrote to memory of 1988	2016	a34ed8c9896cc074e235b2c4116871d1.exe	30
PID 1988 wrote to memory of 1724	1988	vbc.exe	32
PID 1988 wrote to memory of 1724	1988	vbc.exe	32
PID 1988 wrote to memory of 1724	1988	vbc.exe	32
PID 1988 wrote to memory of 1724	1988	vbc.exe	32
PID 2016 wrote to memory of 2172	2016	a34ed8c9896cc074e235b2c4116871d1.exe	33
PID 2016 wrote to memory of 2172	2016	a34ed8c9896cc074e235b2c4116871d1.exe	33
PID 2016 wrote to memory of 2172	2016	a34ed8c9896cc074e235b2c4116871d1.exe	33
PID 2016 wrote to memory of 2172	2016	a34ed8c9896cc074e235b2c4116871d1.exe	33

C:\Users\Admin\AppData\Local\Temp\a34ed8c9896cc074e235b2c4116871d1.exe
"C:\Users\Admin\AppData\Local\Temp\a34ed8c9896cc074e235b2c4116871d1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfm8qo5b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF41.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724
- C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a34ed8c9896cc074e235b2c4116871d1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF42.tmp

Filesize
1KB

MD5
c8df9dd53bd832361e214cd8edbaf4e3

SHA1
0045f56157289d72b0bb03a0e642dee4b80fb9e9

SHA256
d69c78c6b6b2299b569bb79c45137f45615b0cd7723c9fece8deb66594f9c117

SHA512
059e053fd420f4622b99bb07be70cc7eda7d4550050559ae7c120725a3b0d361a683ef988533b3b8e90c9efbf54a252f60b8b9f78a8da3f30302b9a459b65c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF41.tmp

Filesize
660B

MD5
cc6815006fc7789b374776ff7e30af3b

SHA1
5151f11071ddfc39d2e97e92a34aacbe62f05dd2

SHA256
ea0a8d9e715f29021f3adeccd58f2fc790d6c59c20745536ce3c82fdd82f8334

SHA512
ea98fcbbffa37369770cb0591002020cf6a2f4ed34433137f3e770c3f5e3349f6965754e0ccaf3093b972ca6afd164db309b0e690c46578a346479998befaf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfm8qo5b.0.vb

Filesize
14KB

MD5
5419ca8b6296e6200b439ef06b2278e2

SHA1
61bbe7f0e5651c21f05fd333e6ce1abb1a017026

SHA256
6f1909237f657086e6b2bf0bf1e831682d3b2931dcad1d046f0e43f2f0613ee0

SHA512
229ffe3d474fe09c9e876146b23fd95781a7fd98848584380827628e5cb8d646124c4b98317f01798d86ad58c546b19878f43ffd513c32192f5e893d0f102428

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfm8qo5b.cmdline

Filesize
266B

MD5
174ce9fd9a902ebabf053a6c00a61e25

SHA1
f6219d15797d6b23ef73dc8f2c3705db36c2de89

SHA256
b5cd829af4532b91b91c4fe017bdaa9ca7ac611f5cd3f956c364de5ab627791b

SHA512
84f65f7017339b4e4014fa883063a8b7c95e88f9cc2acb09e314f494639d7043bdf0590f16688bbdabbe426baafc3a0f7c8fb1d20cca9ff5e296b8bb76705f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.exe

Filesize
78KB

MD5
8f24e7bb7d64a0d67adebb5d2cbdb543

SHA1
1f1bbd57ab36152b9ef3769e8f77582074d4adf5

SHA256
de517587d142074ea4d68648fee4c3bff430582a9df83186e9f45597bdd4077c

SHA512
a53d4265de5b5236a89de8ec0b4c50c9b93d595c124a64fe57349fcc2d5dfd1be59708d0123a633d1ad2362e7af6ddfb33abf9b547e403e58991edf75da7a50a

Download Submit
memory/1988-8-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-18-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

Filesize
4KB

Download
memory/2016-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-2-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-24-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads