hiverat | 627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad

General

Target

627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
Size

412KB
MD5

9f623866564f2db35e45d61a6dee76c8
SHA1

408cf5d7bda367ea9f5db402824b5534f071b123
SHA256

627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad
SHA512

4b4fe3fab8a5ccd14923253cb319efe87260222d5f60a9f5b32f8fefca11306b27fbdefa7892b3f2828d150913a904408e338538e7b8f4e9fa0021b8ee8b3296

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1924-57-0x0000000000460000-0x00000000004B2000-memory.dmp	beds_protector

HiveRAT Payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/792-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-65-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-67-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-69-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-75-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-77-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-79-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-81-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-89-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-95-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-97-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/792-99-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

Processes:

627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

description	pid	process	target process
PID 1924 set thread context of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1308 792 WerFault.exe 627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

pid	pid_target	process	target process
1308	792	WerFault.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

pid	process
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

description	pid	process
Token: SeDebugPrivilege	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
Token: SeDebugPrivilege	792	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe

description	pid	process	target process
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 1924 wrote to memory of 792	1924	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
PID 792 wrote to memory of 1308	792	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	WerFault.exe
PID 792 wrote to memory of 1308	792	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	WerFault.exe
PID 792 wrote to memory of 1308	792	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	WerFault.exe
PID 792 wrote to memory of 1308	792	627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
"C:\Users\Admin\AppData\Local\Temp\627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe
  "C:\Users\Admin\AppData\Local\Temp\627d08aae07f05b8a597c9ad2d4d3513ba107f628a4a38727f5a623889b66aad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 548
    3⤵
    - Program crash
    PID:1308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-69-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-99-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-97-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-59-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-67-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-112-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/792-95-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-65-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-75-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-77-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-79-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-89-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1924-55-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-56-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1924-58-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1924-57-0x0000000000460000-0x00000000004B2000-memory.dmp

Filesize
328KB

Download
memory/1924-54-0x0000000000E50000-0x0000000000EBC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads