metamorpherrat | c3d3107b5d697f082171672c58a332293567beb9b911908cfa2c4c3ac659ad02

General

Target

PWS.MSIL.Mintluks.exe
Size

78KB
MD5

88b81c24ef92117f4282d8512f634ed0
SHA1

c8d33ee71ea8d894174a007539c9e53d31dd92aa
SHA256

c3d3107b5d697f082171672c58a332293567beb9b911908cfa2c4c3ac659ad02
SHA512

3fdadae40ec0637b75ea1f4d73beb5154e0ba1e40ec07629f70fac84598b01c201ce64ce59d3a6d1e03df68ea086533cb016c9a5fd491d10cf9ff6f666ecf58c
SSDEEP

1536:zPy5UXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6A9/d1LD:zPy5MSyRxvhTzXPvCbW2UY9/3

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	PWS.MSIL.Mintluks.exe

Deletes itself 1 IoCs

pid	Process
5084	tmp8BC5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5084	tmp8BC5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8BC5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BC5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PWS.MSIL.Mintluks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	PWS.MSIL.Mintluks.exe
Token: SeDebugPrivilege	5084	tmp8BC5.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 4508	3204	PWS.MSIL.Mintluks.exe	82
PID 3204 wrote to memory of 4508	3204	PWS.MSIL.Mintluks.exe	82
PID 3204 wrote to memory of 4508	3204	PWS.MSIL.Mintluks.exe	82
PID 4508 wrote to memory of 1072	4508	vbc.exe	84
PID 4508 wrote to memory of 1072	4508	vbc.exe	84
PID 4508 wrote to memory of 1072	4508	vbc.exe	84
PID 3204 wrote to memory of 5084	3204	PWS.MSIL.Mintluks.exe	85
PID 3204 wrote to memory of 5084	3204	PWS.MSIL.Mintluks.exe	85
PID 3204 wrote to memory of 5084	3204	PWS.MSIL.Mintluks.exe	85

C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe
"C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xp7yuvhq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc284859F88CF44C2891C1379A613B36A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1072
- C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Mintluks.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8C90.tmp

Filesize
1KB

MD5
95cbe63b7acea0a2bd457c56241fe320

SHA1
2f88a3a425c21dd8ca4f0dea6048f1e6d2cefb17

SHA256
0f60b34732f53235352f872b84406a466c644f41c31e7c352f095e6806abd200

SHA512
70c399ef605c6c2bb2ab9118a6b7c420196870aad1e61f96b14cc1fcda7e5cadbaa019df2fc588089e9a2e8160915d93f89ab84f7e270d05db397d094c10d142

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.exe

Filesize
78KB

MD5
de2d9ede8eeb33326bc455e0f406cbee

SHA1
313f3f94dba4292726b8ee91262517509e315f52

SHA256
959e9f3a8473b7c565c78c29840e67a2d5a1538a8f430f70366006e2d54d7eb9

SHA512
c77fc74b1f27d0d4e1ca830bd93107d5fc50fdbde8822e672c39e32fb89a0bdaf87058e6f9e5fbfb9fb89fa2388045e5f08a1fe4125b6ce361bc30d699eac83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc284859F88CF44C2891C1379A613B36A.TMP

Filesize
660B

MD5
cea1823978170ae5576f8b2550a66ff4

SHA1
bebfb3a474cf664b9d4303336a24896b20dd97eb

SHA256
975c42e5565da5a32faea81f6039c26f11d00ddf382b1971fe6e9c78f1bdbaf4

SHA512
9d7fbd6548f3ff5def2581f030e7ffa76e488a2ec2ccd2e1e203f3cf75d525729aeccb3d9cf2e1da6f18145a860f828c23c357857bc754af0aaccb9689d96bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\xp7yuvhq.0.vb

Filesize
14KB

MD5
49cdbe6be7f52655868e125075b5494b

SHA1
a369f9961eef7ca4253b16ab26a042cbd70e15ff

SHA256
2a5f6e1d061cbbed60dd2437adcf85174d911a7eed5166c65180f48f649dcdb8

SHA512
e94a45282a49e9d89d1bef908c7781fdd24146c78ae03b85b5d550232e85ee3e823c6ca47bd99618e597ac47a455beb34a927917839e2866e78fd95784e9077a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xp7yuvhq.cmdline

Filesize
266B

MD5
285e50635941169e32eebb6777e3dba7

SHA1
34805223b09bf3c5421eb563b4f4bfeae4a38f24

SHA256
e9915c4ebeab3768b416523a1236cc13ae288ab79cebb8f2c0245624b51375ff

SHA512
3a21df270d3a740eeec262a0a6d1b549d06ce73913afe887bd0130da803a4951eeab508e8b0d5ca95177dbcc241ce3da0804d05ccad24f5646bcf35dc252a80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/3204-1-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/3204-2-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/3204-0-0x0000000074632000-0x0000000074633000-memory.dmp

Filesize
4KB

Download
memory/3204-22-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/4508-8-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/4508-18-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-23-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-24-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-26-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-27-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5084-28-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads