hiverat | 04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d

General

Target

04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe
Size

334KB
MD5

d0dc4b79447268d2d938a31447918a0e
SHA1

a572d0f1d50245baa8f3da4ee8bd3865b8f6d0eb
SHA256

04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d
SHA512

17751c11420f789addcbedbf9fefd140c7b87ac0aa33cf883fa489638f4307bff06e26582601797132c26489d6b453f081e7cff60b761c38097bae3e594f9ae3

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\IJilC1YVc20K6oY2\\dRZraiX37CNH.exe\",explorer.exe"	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

HiveRAT Payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-61-0x0000000005BB0000-0x0000000005C04000-memory.dmp	family_hiverat
behavioral1/memory/676-65-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-66-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-67-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-68-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-69-0x000000000044C8DE-mapping.dmp	family_hiverat
behavioral1/memory/676-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-75-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-76-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-77-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-78-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-85-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-86-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/676-87-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Suspicious use of SetThreadContext 1 IoCs

Processes:

04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

description	pid	Process	procid_target
PID 1968 set thread context of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1976	676	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

pid	Process
1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

description	pid	Process
Token: SeDebugPrivilege	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe
Token: SeDebugPrivilege	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe
Token: SeDebugPrivilege	676	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

description	pid	Process	procid_target
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 1968 wrote to memory of 676	1968	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	27
PID 676 wrote to memory of 1976	676	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	28
PID 676 wrote to memory of 1976	676	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	28
PID 676 wrote to memory of 1976	676	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	28
PID 676 wrote to memory of 1976	676	04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe	28

C:\Users\Admin\AppData\Local\Temp\04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe
"C:\Users\Admin\AppData\Local\Temp\04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe
  "C:\Users\Admin\AppData\Local\Temp\04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 552
    3⤵
    - Program crash
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-76-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-68-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-69-0x000000000044C8DE-mapping.dmp

Download
memory/676-67-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-87-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-86-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-85-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-75-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-65-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-66-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-78-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-77-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/676-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1968-61-0x0000000005BB0000-0x0000000005C04000-memory.dmp

Filesize
336KB

Download
memory/1968-54-0x00000000013C0000-0x000000000141A000-memory.dmp

Filesize
360KB

Download
memory/1968-57-0x0000000000560000-0x0000000000594000-memory.dmp

Filesize
208KB

Download
memory/1968-56-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1968-55-0x0000000000E45000-0x0000000000E56000-memory.dmp

Filesize
68KB

Download
memory/1968-60-0x0000000005150000-0x0000000005184000-memory.dmp

Filesize
208KB

Download
memory/1968-59-0x0000000004980000-0x00000000049B4000-memory.dmp

Filesize
208KB

Download
memory/1968-58-0x0000000000E10000-0x0000000000E44000-memory.dmp

Filesize
208KB

Download
memory/1976-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads