NEW SC.cmd

General
Target

NEW SC.cmd

Size

14KB

Sample

201201-b4k57571mn

Score
10 /10
MD5

870ffbc1a133083f10fadf93cf28f706

SHA1

eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b

SHA256

f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35

SHA512

f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b

Malware Config
Targets
Target

NEW SC.cmd

MD5

870ffbc1a133083f10fadf93cf28f706

Filesize

14KB

Score
10 /10
SHA1

eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b

SHA256

f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35

SHA512

f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b

Tags

Signatures

  • HiveRAT

    Description

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    Tags

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Turns off Windows Defender SpyNet reporting

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • HiveRAT Payload

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Deletes itself

  • Drops startup file

  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation