General
-
Target
NEW SC.cmd
-
Size
14KB
-
Sample
201201-b4k57571mn
-
MD5
870ffbc1a133083f10fadf93cf28f706
-
SHA1
eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b
-
SHA256
f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35
-
SHA512
f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b
Malware Config
Targets
-
-
Target
NEW SC.cmd
-
Size
14KB
-
MD5
870ffbc1a133083f10fadf93cf28f706
-
SHA1
eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b
-
SHA256
f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35
-
SHA512
f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b
Score10/10-
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Turns off Windows Defender SpyNet reporting
-
Windows security bypass
-
HiveRAT Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Drops startup file
-
Windows security modification
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
4Modify Registry
6Virtualization/Sandbox Evasion
2Web Service
1