metamorpherrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e297800457d823c0597e833d555135.exe
Size

78KB
MD5

f6e297800457d823c0597e833d555135
SHA1

bef99c4a2e1ad4c2c478f156089158cbc624f7d2
SHA256

da2a754ce56ec13af9f429d5dcd20ff88aadc429a1b0a74d68f217f87e31b42f
SHA512

69ae7dc2898887531ef8faa9740d56e6e40af3d0bafca4f2c78e4e4a37a643afa731985d9fbb9792ea61fd61927d043356a418be09b5ad1b48c73aec81af1790
SSDEEP

1536:7V5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6H9/0V1aj:7V5jS+E2EwR4uY41HyvYg9/0g

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	f6e297800457d823c0597e833d555135.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sortkey.exe

Executes dropped EXE 3 IoCs

pid	Process
4608	tmp8E75.tmp.exe
1576	sortkey.exe
1300	tmpA4BC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp8E75.tmp.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zCom.resources	sortkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6e297800457d823c0597e833d555135.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8E75.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sortkey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA4BC.tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	f6e297800457d823c0597e833d555135.exe
Token: SeDebugPrivilege	4608	tmp8E75.tmp.exe
Token: SeDebugPrivilege	1576	sortkey.exe
Token: SeDebugPrivilege	1300	tmpA4BC.tmp.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2692	320	f6e297800457d823c0597e833d555135.exe	89
PID 320 wrote to memory of 2692	320	f6e297800457d823c0597e833d555135.exe	89
PID 320 wrote to memory of 2692	320	f6e297800457d823c0597e833d555135.exe	89
PID 2692 wrote to memory of 4068	2692	vbc.exe	92
PID 2692 wrote to memory of 4068	2692	vbc.exe	92
PID 2692 wrote to memory of 4068	2692	vbc.exe	92
PID 320 wrote to memory of 4608	320	f6e297800457d823c0597e833d555135.exe	93
PID 320 wrote to memory of 4608	320	f6e297800457d823c0597e833d555135.exe	93
PID 320 wrote to memory of 4608	320	f6e297800457d823c0597e833d555135.exe	93
PID 5968 wrote to memory of 1576	5968	cmd.exe	101
PID 5968 wrote to memory of 1576	5968	cmd.exe	101
PID 5968 wrote to memory of 1576	5968	cmd.exe	101
PID 1576 wrote to memory of 736	1576	sortkey.exe	102
PID 1576 wrote to memory of 736	1576	sortkey.exe	102
PID 1576 wrote to memory of 736	1576	sortkey.exe	102
PID 736 wrote to memory of 5380	736	vbc.exe	104
PID 736 wrote to memory of 5380	736	vbc.exe	104
PID 736 wrote to memory of 5380	736	vbc.exe	104
PID 1576 wrote to memory of 1300	1576	sortkey.exe	105
PID 1576 wrote to memory of 1300	1576	sortkey.exe	105
PID 1576 wrote to memory of 1300	1576	sortkey.exe	105

C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe
"C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c03n5br3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD257A4BABDD54411A23EC8975E71EDB7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4068
- C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sortkey.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5968
- C:\Users\Admin\AppData\Local\Temp\sortkey.exe
  C:\Users\Admin\AppData\Local\Temp\sortkey.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z-7pbmr7.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA529.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc801662FC4544B2884BF302A8A27A88.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5380
- - C:\Users\Admin\AppData\Local\Temp\tmpA4BC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA4BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\sortkey.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1300

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8FBD.tmp

Filesize
1KB

MD5
d60811fd302023c22dd9ebd2c94ec601

SHA1
11864db549ca8031ca89a945e5838d04ea1eb69d

SHA256
bcaf74df835e67df449b1edf3b1bab2ba3238a37b5dc31076b42bfa434d7c59d

SHA512
d02638cf75b8a99e47c4a17803be3cbbf667535bd7a04cf3f053be4d515ff55c1aeb67c963b23f75995e4c327b57390d229946385743e0b84e7ccf6f5d4b03d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA529.tmp

Filesize
1KB

MD5
f65372557e108b61e2f89ad42ee9eaf5

SHA1
e779ecf5a496a63fccda1a67c9b2e2979c6b347b

SHA256
e78ed53ecf89e2dba6798fd4633a2051b4b712ed2eeac2423e57d0c323788c6b

SHA512
28c3353dae748844c63386c79197659e1b71f0646a94d8bd875b8d084a21d8be2ef759b0411efdf67dee801f46816e50954f4f6f68334e9461cbeb5d110984f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c03n5br3.0.vb

Filesize
14KB

MD5
542eff542a214526f1eef297e9431cc8

SHA1
089252ab3bb0a3b7893b03801b6a3d900b17ce03

SHA256
8a1d12035a9f18322c27a9d4150a21107ed2dc8fb29d5c85f0dc98adc5047d9b

SHA512
1be4842643f487ca1485350b5548b63d1650a5d1ce0b36ce72ec736821b06cec0075ba9f617b1b921dcea85b98612e6259c0d09bc594182e51cc45f05dc376b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c03n5br3.cmdline

Filesize
266B

MD5
e06ec0bb5b55d01ddb4081b50ec5b0bc

SHA1
9f69909178ca235dc11daef874c04d8341792a3b

SHA256
2b291cdb2b2138da13ebbf7d1d3cfc8be3f9c1f99a3b73fea0973f3a5ef8c63d

SHA512
266c14aea8febd6b6331ad7e8343d514305f222dc2159169006da32491aa043eec55e6e646062a645d552090233f2df6a6f3f323e2954c61ade74128c194e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E75.tmp.exe

Filesize
78KB

MD5
e15c64731dfc0ed084e701ddb0017dd3

SHA1
f625704e62ee85fa2a4bc67b1400ac4450f3c78c

SHA256
9e022c1302febce3cb2893892606574e5305847159f3309d624338fdf8804d4b

SHA512
863a54b883c5fe5f1afd1127e38234fc6cadd03da4fe0966b2a8bcaef60e38a96262b1ccf4cab03c0df61e004ce77491ad99ca1487c08038d0c1d57daff18fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4BC.tmp.exe

Filesize
78KB

MD5
a4fa4d976fd8190585d8bc0491a1babf

SHA1
0303325b4f9e34b79edb7d08038cfa8c3fb15858

SHA256
73d5beaa315db7abac40f5d436564fcf7a56b933395e26702a270308c6c04d22

SHA512
b9b8569e9a67b8918b264dfca7740118ba39c621b497ff3d096e409d77a2ae8337afcf7e38c16a8052b6942dcaefb72da5251bf5dd8fa111399c89a33d30c620

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc801662FC4544B2884BF302A8A27A88.TMP

Filesize
660B

MD5
ede709b08c11cc4137f932b43cc17079

SHA1
bae2ae93acf660c25e428c74320574f1d97be99a

SHA256
2be1dc0f15d6ae08d9610de2421050d1aa54df66f1eea3b0a2720a19fe3fa2a0

SHA512
a33d9a8a46698d38dc45dce31a7399ea0f7511c2eac9cf3512b6f27d18495ae588d0c54951b2cb62eaa968916c6b7adb2d3210cfdc89ee6615ab38ba42730dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD257A4BABDD54411A23EC8975E71EDB7.TMP

Filesize
660B

MD5
9451ab3c6975d6ab152135151a50387b

SHA1
17a3931ee5ce42e6528bd283deb994ae50bab9cc

SHA256
827b8e624fe5d17dbc65e4f363c0653a802cba9e3bb656ed1c0a127ff51996ee

SHA512
2f6b87329089bbca4f5bdc9565f32ec33f65192617894c537cd56ec3f69c69cccbcb788286e84e2b83fa0b9c05f7c4d8d5643ebced2a568a98d445af8dc79b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\z-7pbmr7.0.vb

Filesize
15KB

MD5
e93084c58e2deee0024aecdf76fd551c

SHA1
420dc0b64a03512944b5929eeb77295e5f2ee52f

SHA256
b7e429877e2e60803f2c98fe927b70c27e5da26e118bffdf5488d2dbb53635f3

SHA512
951ae978d911bfbb2853889e966869ae6b2e7a43d278a1bbaefc4517dcbcb96bfb1791026cd77fa8fbbfc405e07e0996d53b8e46c009a7218356cf74aee681a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\z-7pbmr7.cmdline

Filesize
266B

MD5
59072557685bd9f2afedec068a6d4a60

SHA1
20d1661b9169d51c3f5399c0a93e34e0b0fdfab1

SHA256
8360dabfc20b7ae4b014c9945ad0889bc4eea79936cb852d98f3627ac9ddb249

SHA512
76bb3498f0c1f97e93b757fdc441175ae5a8d1928006fe0be30a3f1895245e4cabc849dd5d256fae5817e13c0389d00d4353fd2162f80eaa875fdf6b3c129fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/320-22-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/320-0-0x0000000074882000-0x0000000074883000-memory.dmp

Filesize
4KB

Download
memory/320-2-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/320-1-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2692-18-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2692-8-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4608-23-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4608-24-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4608-25-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4608-47-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads