Overview

overview

10

Static

static

Booking Co...DF.exe

windows7_x64

10

Booking Co...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-03-2021 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Booking Confirmation 1104202403251 - copy - PDF.exe

  • Size

    344KB

  • MD5

    f4f48519f108900933d0dd0e8aa1f40f

  • SHA1

    5a48020b486ab74eea85cf88d647dc2ba0994ace

  • SHA256

    f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3

  • SHA512

    d02dc186871c344bddac7ae1a5c1e9c72014e106dfdbe1c565bf7a56ae052b10f7abb69f34010f5315752766bc40a86d1f9e20da2c8c70f7c0aef053ab3248a1

Score
10/10
hiveratratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • Beds Protector Packer 1 IoCs

    Detects Beds Protector packer used to load .NET malware.

  • HiveRAT Payload 4 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 1104202403251 - copy - PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 1104202403251 - copy - PDF.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\46692.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\timeout.exe
        timeout 5
        3⤵
        • Delays execution with timeout.exe
        PID:1400
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\46692.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46692.js"
          4⤵
          • Suspicious behavior: RenamesItself
          PID:1940
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe"
          4⤵
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:476
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/476-46-0x00000000004A0000-0x00000000004A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/476-41-0x00000000730E0000-0x00000000737CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/476-42-0x0000000000F80000-0x0000000000F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/476-45-0x00000000049C0000-0x00000000049C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/892-53-0x0000000004C10000-0x0000000004C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/892-50-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/892-49-0x00000000730E0000-0x00000000737CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/892-47-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/892-52-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1108-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1108-6-0x0000000004A30000-0x0000000004A31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1108-5-0x0000000001F00000-0x0000000001F4B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1108-3-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-11-0x00000000730E0000-0x00000000737CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1564-17-0x0000000002850000-0x0000000002851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-34-0x000000007EF30000-0x000000007EF31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-26-0x0000000005760000-0x0000000005761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-37-0x00000000063D0000-0x00000000063D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-10-0x00000000760D1000-0x00000000760D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1564-25-0x00000000056F0000-0x00000000056F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-20-0x0000000005620000-0x0000000005621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-33-0x0000000006280000-0x0000000006281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-16-0x00000000024E0000-0x00000000024E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-15-0x0000000002812000-0x0000000002813000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-14-0x0000000002810000-0x0000000002811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-13-0x00000000048B0000-0x00000000048B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1564-12-0x0000000002320000-0x0000000002321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-39-0x0000000002770000-0x0000000002774000-memory.dmp

    Filesize

    16KB

    Download