Overview

overview

10

Static

static

10

a200ccdf59...cb.exe

windows7-x64

1

a200ccdf59...cb.exe

windows10-2004-x64

1

a24432a439...39.exe

windows7-x64

1

a24432a439...39.exe

windows10-2004-x64

1

a261b01eac...35.exe

windows7-x64

10

a261b01eac...35.exe

windows10-2004-x64

10

a277e4ef19...9e.exe

windows7-x64

10

a277e4ef19...9e.exe

windows10-2004-x64

10

a2c94b5453...64.exe

windows7-x64

7

a2c94b5453...64.exe

windows10-2004-x64

7

a2e433f395...34.exe

windows7-x64

10

a2e433f395...34.exe

windows10-2004-x64

10

a2fad1a052...95.exe

windows7-x64

10

a2fad1a052...95.exe

windows10-2004-x64

10

a30ce01ad9...4d.exe

windows7-x64

7

a30ce01ad9...4d.exe

windows10-2004-x64

7

a31ba0b291...4c.exe

windows7-x64

10

a31ba0b291...4c.exe

windows10-2004-x64

10

a340d849cc...86.exe

windows7-x64

10

a340d849cc...86.exe

windows10-2004-x64

10

a34ed8c989...d1.exe

windows7-x64

10

a34ed8c989...d1.exe

windows10-2004-x64

10

a39a36bdb6...eb.exe

windows7-x64

10

a39a36bdb6...eb.exe

windows10-2004-x64

10

a3a42aeb37...7f.exe

windows7-x64

10

a3a42aeb37...7f.exe

windows10-2004-x64

10

a3a62b600d...4c.exe

windows7-x64

10

a3a62b600d...4c.exe

windows10-2004-x64

10

a3bf76de64...be.exe

windows7-x64

10

a3bf76de64...be.exe

windows10-2004-x64

10

a3d1683844...56.exe

windows7-x64

10

a3d1683844...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a34ed8c9896cc074e235b2c4116871d1.exe

  • Size

    78KB

  • MD5

    a34ed8c9896cc074e235b2c4116871d1

  • SHA1

    48fe165883c1de2bedfc07518ac2115b1a2c991e

  • SHA256

    02a52e9110db06f80b86eaa21c0de7cbfbc484c97986634bd8ba74854d839a52

  • SHA512

    375b6da19078fb908ba6ce6d8d11b36d360bf7f6daba622a068c21a18eb3714244086958a8d7cef4f905848b5a360d940b87f2c2a54ec582b294603c8f2d323c

  • SSDEEP

    1536:lPy58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC679/G1dS:lPy58An7N041Qqhgz9/X

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a34ed8c9896cc074e235b2c4116871d1.exe
    "C:\Users\Admin\AppData\Local\Temp\a34ed8c9896cc074e235b2c4116871d1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg7gpd2y.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9858.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50F5DC589DA94AD5B0F7FBC8CA4F3B6D.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5048
    • C:\Users\Admin\AppData\Local\Temp\tmp976D.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp976D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a34ed8c9896cc074e235b2c4116871d1.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES9858.tmp
    Filesize

    1KB

    MD5

    0870ec71a5592343d0ac54b0866c8ea0

    SHA1

    80e5021a2708d67e0654b9968e830e08f5e5c014

    SHA256

    70bf101e0a07a3385ffbee41c947ee9feca71ed235d9dd34fd35710903c3b7b3

    SHA512

    44c85c6997631b943d23f3c757aa8282476786ef4358c326eabb1bd689435ba0509a9f4a401d36e6cd7778d5134f62e5f8bd36f838f9b2c78a58e2e796530652

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp976D.tmp.exe
    Filesize

    78KB

    MD5

    8a07466affb68eb62eb9d6db4924b323

    SHA1

    67c65cb54c810a69b8241ac8dd22664cdd500d94

    SHA256

    17983817f02439c695898e6f933ed2fe733ea384b1eaff37d1f3ba02e7efc894

    SHA512

    0e82a662bd295780f68dd9faf609efea43abdd110902cf9d950ad7c53b56379bbb4232b021cc18babd80af99a43ff37efee9d41ae08dec3c720a43c8253ca629

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc50F5DC589DA94AD5B0F7FBC8CA4F3B6D.TMP
    Filesize

    660B

    MD5

    f75e48557d347dbb01df73bcd0263839

    SHA1

    c2b40b6e34b67d4f9e3f43edd497fe240513daa4

    SHA256

    1ef1e2d445d40b1c6eabe2a5b68179e4a8477b616d36106e60af8b4c365fa5f8

    SHA512

    aee532108f21d0dcb511b443aba253fcc3df7695a8577fa3d25cd5b64aa9907b7117d6f8736b596573c62fdfc801f9d214dd9fa63e8fb65c594017ba6b29208a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vg7gpd2y.0.vb
    Filesize

    14KB

    MD5

    942c8803b5c928b44dacf7eb7e118828

    SHA1

    72659266df89f39bbded4b79143c0b2c953b7141

    SHA256

    2db426d81f28be4277a7c355768bb8752a831a2b0f4a24013ea6ff6d9c68a9cb

    SHA512

    144984dde628d1a9c6c809f8e5eeb97e6512e5bb094bae9ba8ed3b50e0c71674ba368809e6b428a0d54ef4d45f953334b7e2484ed4cb87d2cc356b082e3c0837

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vg7gpd2y.cmdline
    Filesize

    266B

    MD5

    73702aead777b734573057fb0ed5b46d

    SHA1

    e7b4d904d185c359a8d64f3bce9c784f35773f38

    SHA256

    9ec72eb73aafe7ffa4edf0d773c9ae2be08c7951657a601de975c21e19b80f15

    SHA512

    f03ce59251b1accd5678643ebc9545b8b5a964baaa958f13ebdc16fa7b77904fdbf136b7ef687f931292d75b366712d85f63ef4f1fb66feddcb7a91dc6605007

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

    Download Submit

  • memory/64-1-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/64-2-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/64-22-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/64-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2832-23-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-24-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-25-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-27-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-28-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2832-29-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3028-18-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3028-8-0x0000000074E90000-0x0000000075441000-memory.dmp

    Filesize

    5.7MB

    Download