hiverat | fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9

General

Target

fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe
Size

1.0MB
MD5

c155dbf53ae3d27c885344e67c53f4a9
SHA1

f33018f1c97f8e45b3d18590fa452484cbd33c4e
SHA256

fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9
SHA512

bd551fdc67db54ce5a894da69cf1a5aa78cb7aaa27d04851f66390178d0f41e3a682770542822df47cd581f19d2d3d586c0209139e3d57494200d69fa8772dcf

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-61-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-63-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-64-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-65-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-66-0x000000000044C98E-mapping.dmp	family_hiverat
behavioral1/memory/1748-68-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-70-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-72-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-73-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-74-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-75-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-79-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-82-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-83-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat
behavioral1/memory/1748-84-0x0000000000400000-0x000000000047C000-memory.dmp	family_hiverat

Suspicious use of SetThreadContext 1 IoCs

Processes:

fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe

description	pid	process	target process
PID 1992 set thread context of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

InstallUtil.exe

pid process

1748 InstallUtil.exe
1748 InstallUtil.exe
1748 InstallUtil.exe
1748 InstallUtil.exe

pid	process
1748	InstallUtil.exe
1748	InstallUtil.exe
1748	InstallUtil.exe
1748	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe
Token: SeDebugPrivilege	1748	InstallUtil.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe

description	pid	process	target process
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe
PID 1992 wrote to memory of 1748	1992	fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe
"C:\Users\Admin\AppData\Local\Temp\fcff8f4e1c8655e2b4c1239ac0947a7a56eca16dcec9c2ad58b791b726eb27c9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-66-0x000000000044C98E-mapping.dmp

Download
memory/1748-58-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-84-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-70-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-68-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-59-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-61-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-63-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-64-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-65-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-83-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-82-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-79-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-72-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-73-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-74-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-75-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1992-57-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1992-55-0x0000000000410000-0x0000000000430000-memory.dmp

Filesize
128KB

Download
memory/1992-56-0x0000000000550000-0x0000000000574000-memory.dmp

Filesize
144KB

Download
memory/1992-54-0x0000000001360000-0x000000000146A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads