hiverat | 2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf | Triage

Submit
Reports

Overview

overview

Static

static

2f26ea19a8...bf.exe

windows7_x64

2f26ea19a8...bf.exe

windows10_x64

Sharing

General

Target

2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf
Size

743KB
Sample

210228-1dwrxmhpcj
MD5

b9000bb1ebd5843afc9f524c5b2b4cb0
SHA1

9ce98360d731abf87c11c535184c57095bdb70ce
SHA256

2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf
SHA512

e714c718a21cc2090c8b6d829dfa2c23d9543c37dbc9383b9c5126d071e98a389ef1a45fbf71087a2574a9defd23f3996eb50e3507fcc3acb786da1beb33cef5

Score

10^/10

hiverat agilenet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf.exe

Resource

win7v20201028

hiverat agilenet persistence rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf.exe

Resource

win10v20201028

hiverat agilenet persistence rat stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf
- Size
  
  743KB
- MD5
  
  b9000bb1ebd5843afc9f524c5b2b4cb0
- SHA1
  
  9ce98360d731abf87c11c535184c57095bdb70ce
- SHA256
  
  2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf
- SHA512
  
  e714c718a21cc2090c8b6d829dfa2c23d9543c37dbc9383b9c5126d071e98a389ef1a45fbf71087a2574a9defd23f3996eb50e3507fcc3acb786da1beb33cef5
Score

10^/10

hiverat agilenet persistence rat stealer
- HiveRAT
  HiveRAT is an improved version of FirebirdRAT with various capabilities.
  rat stealer hiverat
- HiveRAT Payload
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

hiveratagilenetpersistenceratstealer

behavioral2

hiveratagilenetpersistenceratstealer

© 2018-2024

Terms | Privacy