hiverat | 528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4

General

Target

528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe
Size

955KB
MD5

38c0511fa37c2f89a7a64f98065fc8a5
SHA1

e279a64626c4819727390916993a679ce22ab183
SHA256

528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4
SHA512

38e254745b5843b1edfa08e0676265b3dd13e7b5131fa3094690f3e0975e3f98b90ad871184edd0f9efe31687b96ab634db28ae5058dca776f23fe0a807d5082

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 15 IoCs

resource	yara_rule
behavioral1/memory/1100-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-61-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-64-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-65-0x000000000044CB8E-mapping.dmp	family_hiverat
behavioral1/memory/1100-67-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-69-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-74-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-72-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-78-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-81-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-83-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1100-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 964 set thread context of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	1100	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe
Token: SeDebugPrivilege	1100	InstallUtil.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 964 wrote to memory of 1100	964	528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe	27
PID 1100 wrote to memory of 1864	1100	InstallUtil.exe	28
PID 1100 wrote to memory of 1864	1100	InstallUtil.exe	28
PID 1100 wrote to memory of 1864	1100	InstallUtil.exe	28
PID 1100 wrote to memory of 1864	1100	InstallUtil.exe	28

C:\Users\Admin\AppData\Local\Temp\528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe
"C:\Users\Admin\AppData\Local\Temp\528f620f2cd3e22ce81c119a51801527a0ca2a1e5f3c05cf31591a28858359c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 540
    3⤵
    - Program crash
    PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-54-0x0000000000F00000-0x0000000000FF4000-memory.dmp

Filesize
976KB

Download
memory/964-55-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download
memory/964-56-0x0000000000500000-0x0000000000524000-memory.dmp

Filesize
144KB

Download
memory/964-57-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1100-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-59-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-64-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-67-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-69-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-74-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-78-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-83-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1100-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing