hiverat | 247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa

General

Target

247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe
Size

516KB
MD5

a017058b040b5a38add4f95861a11f67
SHA1

f5fd43a5f9c48b21b83b778ae1ffe1f7ede0283b
SHA256

247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa
SHA512

64f6c8b098c136f7ce375e76d8c53f7797a2e7fb1ea45192947a563eef8b8b45dc1ff7d3b923b23ab84ae8fece04def040f3f0098eae175980319a7207f9d692

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 10 IoCs

resource	yara_rule
behavioral2/memory/1384-137-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-139-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-141-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-143-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-145-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-147-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-156-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-162-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-164-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1384-166-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2904	1384	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe
Token: SeDebugPrivilege	1384	InstallUtil.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87
PID 1928 wrote to memory of 1384	1928	247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe	87

C:\Users\Admin\AppData\Local\Temp\247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe
"C:\Users\Admin\AppData\Local\Temp\247224c99fceb82691532d78441f3f419b3ed2d64559c09ab29dc71d1841affa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 776
    3⤵
    - Program crash
    PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1384 -ip 1384
1⤵
PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-147-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-145-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-141-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-143-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-139-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-164-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-162-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-137-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-166-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-156-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1384-151-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/1928-135-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/1928-130-0x0000000000FF0000-0x0000000001078000-memory.dmp

Filesize
544KB

Download
memory/1928-133-0x00000000086B0000-0x0000000008C54000-memory.dmp

Filesize
5.6MB

Download
memory/1928-132-0x0000000005A60000-0x0000000005AFC000-memory.dmp

Filesize
624KB

Download
memory/1928-136-0x0000000008560000-0x0000000008582000-memory.dmp

Filesize
136KB

Download
memory/1928-131-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/1928-134-0x0000000008330000-0x00000000083C2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing