metamorpherrat | ee8bf49b63937bd249323dce936bc2816bc60b612af7d36f7c86609b31bc3628

General

Target

PWS.MSIL.Mintluks.exe
Size

78KB
MD5

d0912c8e2b0c3166670aef6c34569290
SHA1

1a6c60e1c4c9b3bbe76e24aa1b553ab82f8bc63d
SHA256

ee8bf49b63937bd249323dce936bc2816bc60b612af7d36f7c86609b31bc3628
SHA512

071bb638824bd2d781064916a3cb760f70ae5c9cc1f160982d99f0c47f429aacb20c49b1e07e90cb457a5fc622ece336a65a90f16c0d4e5b8fe2f10974db3348
SSDEEP

1536:NouHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMm9/T19R:SuH/3ZAtWDDILJLovbicqOq3o+nMm9/t

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2708	tmpAF62.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	PWS.MSIL.Mintluks.exe
3060	PWS.MSIL.Mintluks.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpAF62.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAF62.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PWS.MSIL.Mintluks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	PWS.MSIL.Mintluks.exe
Token: SeDebugPrivilege	2708	tmpAF62.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1444	3060	PWS.MSIL.Mintluks.exe	30
PID 3060 wrote to memory of 1444	3060	PWS.MSIL.Mintluks.exe	30
PID 3060 wrote to memory of 1444	3060	PWS.MSIL.Mintluks.exe	30
PID 3060 wrote to memory of 1444	3060	PWS.MSIL.Mintluks.exe	30
PID 1444 wrote to memory of 2548	1444	vbc.exe	32
PID 1444 wrote to memory of 2548	1444	vbc.exe	32
PID 1444 wrote to memory of 2548	1444	vbc.exe	32
PID 1444 wrote to memory of 2548	1444	vbc.exe	32
PID 3060 wrote to memory of 2708	3060	PWS.MSIL.Mintluks.exe	33
PID 3060 wrote to memory of 2708	3060	PWS.MSIL.Mintluks.exe	33
PID 3060 wrote to memory of 2708	3060	PWS.MSIL.Mintluks.exe	33
PID 3060 wrote to memory of 2708	3060	PWS.MSIL.Mintluks.exe	33

C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe
"C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rkphxeep.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB175.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB174.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- C:\Users\Admin\AppData\Local\Temp\tmpAF62.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAF62.tmp.exe" C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB175.tmp

Filesize
1KB

MD5
549814a36bb771efe27229e4a5de1c55

SHA1
d82e08578705f645307d926ac257dde79f2d4670

SHA256
81cc0c8a2b12d0b39e8c16a156011018378efc1fd2d06a64af23fc2764b97e58

SHA512
9fb2f923831154e3e7bdd9191af56ae78737fb9fd2b355b375275c9193c5861b93291b69c9a1b3946b76cd2b35cb2c52a5b5d95bc548d567a867253a3978e12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkphxeep.0.vb

Filesize
15KB

MD5
2c34d2c5b595a42de27260c9d7f92baf

SHA1
b57990b7c390d95db955257a4ef0dbe64a39f9e4

SHA256
6eec01e1a03c338c11786085f1c2c67aa0af851997a712ccc26c44092f7b25db

SHA512
5b4340ca565ff8356ed99b0d20b432567af30f6f8495e5dbb9f6877429cd308f953c8aece5cb258f9ca7c462549310c8e9e18d8a6bb86896d39bfb383987b727

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkphxeep.cmdline

Filesize
266B

MD5
15d46090968bd9bcca30df052f40af79

SHA1
e35631912774b1732c20d10bf15d17d4829468a2

SHA256
b100dcc8b42c467f75d93047d6ff962dd21bd2baf506ea9ea3c61dd0d8d79a6d

SHA512
14cc3eb703fd6d473c2c67539916f0b0d7a208982687c5862435cd8338306f2ce3ce64e1b43d77bdee1425db99cbd019d36f50bbe9e456299c2fd67dc24a4087

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF62.tmp.exe

Filesize
78KB

MD5
a0f3adba6893e844f44366b24dcb79e3

SHA1
54f930e909ad6d28767f403b387bedca57505b5d

SHA256
00cf3274976adf7b8c7de8a0a316917f0a7da92242075a5ccee8e97b59342819

SHA512
7b07cd2e500a2a56c6b1c6eef38faf9285116adf349c3c42aef6d27769e60a3a63c974a4be708dc67cf78c801c607b4de29c467507a115ec478d988367076319

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB174.tmp

Filesize
660B

MD5
b472fbeeda20f086247cb6c22585b34b

SHA1
46731c1e771ee42e3f1c08141c9e1c319010f7af

SHA256
78a2df93e8070e9f667039b094b4dcadee0c95300dbffd9471ef7ca854015b20

SHA512
456bf2405670cd2ea24c735b464704626596e440d59f2aefbe03e2ea074dacf1961189259b120e0a890d2b08c9c01c3eba795971ce5199f828d0439a375754d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1444-8-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-18-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/3060-0-0x0000000074831000-0x0000000074832000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/3060-2-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/3060-24-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads