metamorpherrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e297800457d823c0597e833d555135.exe
Size

78KB
MD5

f6e297800457d823c0597e833d555135
SHA1

bef99c4a2e1ad4c2c478f156089158cbc624f7d2
SHA256

da2a754ce56ec13af9f429d5dcd20ff88aadc429a1b0a74d68f217f87e31b42f
SHA512

69ae7dc2898887531ef8faa9740d56e6e40af3d0bafca4f2c78e4e4a37a643afa731985d9fbb9792ea61fd61927d043356a418be09b5ad1b48c73aec81af1790
SSDEEP

1536:7V5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6H9/0V1aj:7V5jS+E2EwR4uY41HyvYg9/0g

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 3 IoCs

pid	Process
4360	tmp48D0.tmp.exe
5264	sortkey.exe
2364	tmp5E9B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp48D0.tmp.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zCom.resources	sortkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sortkey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5E9B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6e297800457d823c0597e833d555135.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp48D0.tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	f6e297800457d823c0597e833d555135.exe
Token: SeDebugPrivilege	4360	tmp48D0.tmp.exe
Token: SeDebugPrivilege	5264	sortkey.exe
Token: SeDebugPrivilege	2364	tmp5E9B.tmp.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 5984	3676	f6e297800457d823c0597e833d555135.exe	78
PID 3676 wrote to memory of 5984	3676	f6e297800457d823c0597e833d555135.exe	78
PID 3676 wrote to memory of 5984	3676	f6e297800457d823c0597e833d555135.exe	78
PID 5984 wrote to memory of 3092	5984	vbc.exe	80
PID 5984 wrote to memory of 3092	5984	vbc.exe	80
PID 5984 wrote to memory of 3092	5984	vbc.exe	80
PID 3676 wrote to memory of 4360	3676	f6e297800457d823c0597e833d555135.exe	81
PID 3676 wrote to memory of 4360	3676	f6e297800457d823c0597e833d555135.exe	81
PID 3676 wrote to memory of 4360	3676	f6e297800457d823c0597e833d555135.exe	81
PID 2984 wrote to memory of 5264	2984	cmd.exe	84
PID 2984 wrote to memory of 5264	2984	cmd.exe	84
PID 2984 wrote to memory of 5264	2984	cmd.exe	84
PID 5264 wrote to memory of 1428	5264	sortkey.exe	85
PID 5264 wrote to memory of 1428	5264	sortkey.exe	85
PID 5264 wrote to memory of 1428	5264	sortkey.exe	85
PID 1428 wrote to memory of 2368	1428	vbc.exe	87
PID 1428 wrote to memory of 2368	1428	vbc.exe	87
PID 1428 wrote to memory of 2368	1428	vbc.exe	87
PID 5264 wrote to memory of 2364	5264	sortkey.exe	88
PID 5264 wrote to memory of 2364	5264	sortkey.exe	88
PID 5264 wrote to memory of 2364	5264	sortkey.exe	88

C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe
"C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jkgqe1dr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFFD7852E55D48C5A229C2BFCB885135.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3092
- C:\Users\Admin\AppData\Local\Temp\tmp48D0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp48D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sortkey.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\sortkey.exe
  C:\Users\Admin\AppData\Local\Temp\sortkey.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9tj7v3mh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FE58358C10C48B5866D43CD7868F1.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Users\Admin\AppData\Local\Temp\tmp5E9B.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp5E9B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\sortkey.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2364

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9tj7v3mh.0.vb

Filesize
15KB

MD5
4356f4ae3a18a01430a206d30580bbbe

SHA1
5e83c462c84d90f20a45befee5a82a90656edd55

SHA256
85e5dde1dfd0ed2c56a6030c912124dbfb7d41c0507f2030a50a03741b17a5db

SHA512
9798826d553901e5f10b3858dfe01e48c1c5b8e852a9986fd41a5a92ed63b4f0f506717b56a83dcb1c297f386b5c086534b41d88c64c312bd07e8cff5ce85c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\9tj7v3mh.cmdline

Filesize
266B

MD5
54896a87bd4d8568b187bf623c11ab3a

SHA1
eefc0ded7c123bb5f8c219b303f69f872341d609

SHA256
e94762f1d5a00f974b86b737ee3de7076a823431803d04c460d8e40d1a9cbb11

SHA512
534e6599132334fdf49d7984e7f19f12d1e710da52cd706a84b4b30d7169df8520a4e5df703109fbc70e3aa5bfc15eb695f9a25bb723d2189e112b15ea4c9910

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49CA.tmp

Filesize
1KB

MD5
b805bf130bcf1d4295cb8750a4d36b77

SHA1
a5f18f6a8cbff4ff6d725793c2b2b906a1799438

SHA256
4f01b78151cb2434f78800a42d195739b529cd349a39dd8465878c787d6e5829

SHA512
da46a7fcc7464c94a030035ceea3223ef3f128d674fee94e93b5a7c00fd217f7edeb2776af080cd41b72254bcc728451ea2b5606a920465b8921459ab4554f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5EF8.tmp

Filesize
1KB

MD5
cc4368cdead2fc9ed4c5b162a1bd0e3f

SHA1
c765989678b22ad9d2d02d937c65ab45cbe38016

SHA256
e4dd62f6de6e748ba69627c087e43de023052307b891ab668b76dd0857e4c548

SHA512
5857eadbf98e4251dce9b60ff8639d3799cac9d727f4305164c936a1160712825944e92039165b79561b547332ed663142c97a5245e019cb9669223e80b794d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkgqe1dr.0.vb

Filesize
14KB

MD5
b3dcd372c3b0d1b1c2e67eb709e12eb8

SHA1
e183ae88bc992d0b5250dc6601b0c456a0d015c4

SHA256
6320b2a6c419a833c05294b8bd12a404659e159b184c0d7a1b332e1a3aa26840

SHA512
1df92b212857a82df19219286ddb8dffa35322cb1a309d60af72b288de83cae09b0cf14f99bb165e7823dc14f530fbf4399109f17cf926433bcfaab7dfea3afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkgqe1dr.cmdline

Filesize
266B

MD5
bdd9d1f311ea76c44d97f16bc51c8112

SHA1
3a4403361026e50bf6821cf56135248277c05063

SHA256
4c74f82db82a5ffe664657ae20af1c479b7407201ce31ce644d8093c849065d3

SHA512
decb3c95b469239ccd18563dab286f4f42b833a22a29222b0c0ceb2b2378d9646d1d7bffd1370b0b268a88142345b75443c92dd84f96775ed2a523683d18b686

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48D0.tmp.exe

Filesize
78KB

MD5
968b859bbc1e76a8525c3caf9f2eaf31

SHA1
cef7d1216c70a5530a8c8327671460547a61d212

SHA256
7598972741c1c971dcf4e18cc80b34226c8a0f021c8bccf694ea2b16e5af7c0c

SHA512
8cb4169df08cb0a9543756910f8edafe7ee263441cac6c5af9585a68c176e45354d92bceb2f4d7869583c114a05566542df6d32d701ed9ec906b21529d5b8f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E9B.tmp.exe

Filesize
78KB

MD5
92894652cae63a38e33d941de4155ed7

SHA1
75d5e1896ed5a08611811792800a29ab107e8c98

SHA256
ca07680457039d7b887e6b92f40123866717ca3f055aeaa00eb6a24b51d7a0a5

SHA512
22bcdf668d6eb4fb6635bc57b70a2f1a4966f0acff185c1efe1e9be8b48de1d15a12ee9fd64d56665deb4a95f1b5eb200096eaf4e7efd59869375380eded7cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1FE58358C10C48B5866D43CD7868F1.TMP

Filesize
660B

MD5
ecf5a485ae5f8deaa3a2ffe9a7b68159

SHA1
95b6ef68938cd64aca2d9005abe31a28aca4b603

SHA256
7ea4265c3f62c123223bc0efe5079108d9a71d96f752bcbf1cec446180df56b6

SHA512
1e44c2b60341281d8a7c408d804eccb2184b33df69973ce4ab1fe18b3eb8f4eaf2123d52cc7ec40bf67f0f81e7c951ed1cf7d9783fdac38d8a39aeefd53868dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAFFD7852E55D48C5A229C2BFCB885135.TMP

Filesize
660B

MD5
4d9d3868ded1dea2d1da92eccdf73e77

SHA1
638491a649b1b4301a4fcd030ead82a93ac11a33

SHA256
2878011fa9ba2d68d9754757da5e64cf6397bd93c60b9e4a9bce3d5531dbace2

SHA512
dfe2a5387d05884cb10c2dfd0f58fdf67a9b5c4a03967d373070fb9ded5100a6d241570c6c3c9f7f69ac75fd12b741578a7a1942d509e39e7a8c7759943b3ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/3676-2-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3676-22-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3676-1-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3676-0-0x00000000753C1000-0x00000000753C2000-memory.dmp

Filesize
4KB

Download
memory/4360-23-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4360-24-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4360-25-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4360-47-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/5984-9-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/5984-18-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads