hiverat | c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095

General

Target

c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe
Size

504KB
MD5

3eee2cacbdec05479d8a24989ad36713
SHA1

00cb49cce05840f394f793ceeae54623e418c18b
SHA256

c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095
SHA512

d59f8e97a12fdfd2faa947e2b612e09529e6c4542f729f72b5015cb9d47eef61eb34990383cde592c692f52b5d04788b54a82132e236eb66e75d8973416b96c6

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 10 IoCs

resource	yara_rule
behavioral2/memory/1524-139-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-141-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-145-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-144-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-146-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-147-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-151-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-154-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-155-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1524-156-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 408 set thread context of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1496	1524	WerFault.exe	91

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe
Token: SeDebugPrivilege	1524	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3108	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	89
PID 408 wrote to memory of 3108	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	89
PID 408 wrote to memory of 3108	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	89
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91
PID 408 wrote to memory of 1524	408	c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe	91

C:\Users\Admin\AppData\Local\Temp\c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe
"C:\Users\Admin\AppData\Local\Temp\c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXDftZAoPux" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCBC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3108
- C:\Users\Admin\AppData\Local\Temp\c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 784
    3⤵
    - Program crash
    PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1524 -ip 1524
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c3a22233aee6a06d88c2190bc8dead9f9a15d370bf898d7a6a9ace9f40a6b095.exe.log

Filesize
1KB

MD5
6f8f3a9a57cb30e686d3355e656031e0

SHA1
acccd6befb1a2f40e662280bc5182e086a0d079b

SHA256
283586e83b25099a5698cb9caf9c594a37060d11e0f55c81bb9c6d4f728448ea

SHA512
8f11d645ff4f8d5b1c45b06eb52cd45319659255306d60e80e33abfd04b9e3b1164679f11a8a23bd493e4b3f6b9841d70e553a01835eeaf6035b4d05e4fd7b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFCBC.tmp

Filesize
1KB

MD5
411aca032ff7f9cc75c4a47c2e5b9bc8

SHA1
217c563a467d03420044de854bae91eebd655a8e

SHA256
065e0941e2ac506fc692a782372bc83795a84502914a4e6d013ccce8c4ba4a3e

SHA512
03b56c5805edadf79ba7e6820a56313413051e50b4177b4b1983b83480c7633308f0fffbd16fa4def303835ee3b07476cf3ff66ae86e62a2d08955c70b483823

Download Submit
memory/408-130-0x00000000003E0000-0x0000000000462000-memory.dmp

Filesize
520KB

Download
memory/408-131-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/408-132-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/408-133-0x0000000004E20000-0x0000000004E2A000-memory.dmp

Filesize
40KB

Download
memory/408-134-0x00000000077D0000-0x0000000007CFC000-memory.dmp

Filesize
5.2MB

Download
memory/408-135-0x0000000008040000-0x00000000080DC000-memory.dmp

Filesize
624KB

Download
memory/1524-141-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-139-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-145-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-144-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-146-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-147-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-154-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-155-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-156-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads