Overview

overview

10

Static

static

Booking Co...DF.exe

windows7_x64

10

Booking Co...DF.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Booking Confirmation 110420203251 - copy - PDF.exe

  • Size

    344KB

  • Sample

    201105-8lhrre6d56

  • MD5

    f4f48519f108900933d0dd0e8aa1f40f

  • SHA1

    5a48020b486ab74eea85cf88d647dc2ba0994ace

  • SHA256

    f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3

  • SHA512

    d02dc186871c344bddac7ae1a5c1e9c72014e106dfdbe1c565bf7a56ae052b10f7abb69f34010f5315752766bc40a86d1f9e20da2c8c70f7c0aef053ab3248a1

Score
10/10
hiveratratspywarestealer

Malware Config

Targets

    • Target

      Booking Confirmation 110420203251 - copy - PDF.exe

    • Size

      344KB

    • MD5

      f4f48519f108900933d0dd0e8aa1f40f

    • SHA1

      5a48020b486ab74eea85cf88d647dc2ba0994ace

    • SHA256

      f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3

    • SHA512

      d02dc186871c344bddac7ae1a5c1e9c72014e106dfdbe1c565bf7a56ae052b10f7abb69f34010f5315752766bc40a86d1f9e20da2c8c70f7c0aef053ab3248a1

    Score
    10/10
    hiveratratspywarestealer

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

      ratstealerhiverat

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • HiveRAT Payload

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks