Booking Confirmation 110992024951 - copy - PDF.exe

General
Target

Booking Confirmation 110992024951 - copy - PDF.exe

Size

852KB

Sample

201109-ly4xl49sps

Score
10 /10
MD5

76365cf942438345266042ed4f88b48b

SHA1

5e83c5e24bb0a923a8988ca2ac39f2a1656d052d

SHA256

f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

SHA512

76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Malware Config
Targets
Target

Booking Confirmation 110992024951 - copy - PDF.exe

MD5

76365cf942438345266042ed4f88b48b

Filesize

852KB

Score
10 /10
SHA1

5e83c5e24bb0a923a8988ca2ac39f2a1656d052d

SHA256

f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

SHA512

76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Tags

Signatures

  • HiveRAT

    Description

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    Tags

  • HiveRAT Payload

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    10/10