hiverat | 983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c

General

Target

983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe
Size

355KB
MD5

2f0e24e82f7c70b3c698af44d4e1985d
SHA1

d82af75bed79db528eed3520af0b79bb9476deec
SHA256

983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c
SHA512

d1e17b54773b8abbd6a1c713f25c96436643b7059c2fc1f3bd2976daffbaca719df066279659e7340bedf57fa29a626da753f937bf3022c7f9380547396bc1cb

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 15 IoCs

resource	yara_rule
behavioral1/memory/1496-61-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-64-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-65-0x000000000044CCFE-mapping.dmp	family_hiverat
behavioral1/memory/1496-67-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-69-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-72-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-74-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-78-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-81-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1496-83-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	1496	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe
Token: SeDebugPrivilege	1496	InstallUtil.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1800 wrote to memory of 1496	1800	983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe	27
PID 1496 wrote to memory of 1924	1496	InstallUtil.exe	28
PID 1496 wrote to memory of 1924	1496	InstallUtil.exe	28
PID 1496 wrote to memory of 1924	1496	InstallUtil.exe	28
PID 1496 wrote to memory of 1924	1496	InstallUtil.exe	28

C:\Users\Admin\AppData\Local\Temp\983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe
"C:\Users\Admin\AppData\Local\Temp\983307d0b15ee7e2bf5551873f5dc7dd486951263de813c7beed55ab726ef91c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 536
    3⤵
    - Program crash
    PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-74-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-67-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-83-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-59-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-69-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-64-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1496-78-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1800-55-0x0000000000520000-0x0000000000540000-memory.dmp

Filesize
128KB

Download
memory/1800-56-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/1800-57-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1800-54-0x0000000000380000-0x00000000003DE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing