Overview

overview

10

Static

static

2f26ea19a8...bf.exe

windows7_x64

10

2f26ea19a8...bf.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    28-02-2021 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf.exe

  • Size

    743KB

  • MD5

    b9000bb1ebd5843afc9f524c5b2b4cb0

  • SHA1

    9ce98360d731abf87c11c535184c57095bdb70ce

  • SHA256

    2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf

  • SHA512

    e714c718a21cc2090c8b6d829dfa2c23d9543c37dbc9383b9c5126d071e98a389ef1a45fbf71087a2574a9defd23f3996eb50e3507fcc3acb786da1beb33cef5

Score
10/10
hiveratagilenetpersistenceratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf.exe
    "C:\Users\Admin\AppData\Local\Temp\2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
        3⤵
          PID:3628
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
          3⤵
          • Adds Run key to start application
          PID:2604
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
          3⤵
            PID:3916
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3936
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
          2⤵
          • Adds Run key to start application
          PID:1212

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Execution.vbs
        MD5

        e2fb1014fb6909dac79b6438f26c987e

        SHA1

        4d150264578586fe811ff7aeb1b0bd3aa834156d

        SHA256

        38d4b6278bfc14f144475e5fa6e8b95fbc82f644af90788d79c277b25cc5c3c1

        SHA512

        c00059a5290248bec2beaf56338a90d360f44bb15b3a212d3ede0cc7403e2ba76e7da8b535048ca34a94fabd5b125cea3ae464090af70446cb699c658bd57fe7

        Download Submit

      • C:\Users\Admin\AppData\Local\Execution2.vbs
        MD5

        fc30feb9f88357c00ab8d75abb5bddcd

        SHA1

        c44d77b4d44f04d4a6f31c2cd5fc02efc9606635

        SHA256

        c60465331dd1a285c74809e1003ed606f97546e969bc53bc3d3178623c858a1a

        SHA512

        b518a2248fe235d5480b1bc059cc03c3e36a2ebf20011b496347a9903b39c936de937741abb8f90d7ec155e46d3ceda07f76257e82bfac62bfa9e0d1bf038e4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Execution5.vbs
        MD5

        79e1d7021aeede321d035e1df1c00235

        SHA1

        0325d160e94e392c3172251f22083c70c50ec1ec

        SHA256

        9e508dfda138004a7bba417e881697af397667d502274a85e5a738e8e3eb11e3

        SHA512

        f0deea9a1cec9161f7e1bd187c864e2b057e100910b455e9eb978d3081507dcab521cc873ab34b93fbd246964839a1d1fb5613bfd812c03588aa264bdc5e8525

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • memory/652-6-0x00000000022F0000-0x00000000022FB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/652-9-0x00000000048E1000-0x00000000048E2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-10-0x0000000004E70000-0x0000000004E73000-memory.dmp

        Filesize

        12KB

        Download

      • memory/652-8-0x00000000050E0000-0x00000000050E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-7-0x00000000054F0000-0x00000000054F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-5-0x00000000048E0000-0x00000000048E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/652-3-0x0000000000040000-0x0000000000041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1212-30-0x0000000000000000-mapping.dmp

        Download

      • memory/1704-15-0x0000000073FF0000-0x00000000746DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1704-21-0x0000000005000000-0x0000000005001000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-22-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1704-23-0x0000000004D70000-0x0000000004D71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-20-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-16-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1704-12-0x000000000044CB3E-mapping.dmp

        Download

      • memory/1704-11-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2604-25-0x0000000000000000-mapping.dmp

        Download

      • memory/3628-24-0x0000000000000000-mapping.dmp

        Download

      • memory/3916-28-0x0000000000000000-mapping.dmp

        Download