Malware Analysis Report

2024-10-24 16:30

Sample ID 220415-llj5eaagg5
Target d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d
SHA256 d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d
Tags
hiverat rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d

Threat Level: Known bad

The file d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d was found to be: Known bad.

Malicious Activity Summary

hiverat rat stealer

HiveRAT

HiveRAT Payload

Drops startup file

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-15 09:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 09:37

Reported

2022-04-15 11:49

Platform

win7-20220331-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 09:37

Reported

2022-04-15 11:52

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SysWOW64.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SysWOW64.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe
PID 1984 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe

"C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe"

C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe

"C:\Users\Admin\AppData\Local\Temp\d44651217b87d290e2be6c004e8732817bf1d3d61043a93b25e1130ab7a56c7d.exe"

Network

Country Destination Domain Proto
US 52.168.117.169:443 tcp
US 8.8.8.8:53 best.supportredirect.net udp
NL 45.133.1.217:3335 best.supportredirect.net tcp
NL 104.110.191.140:80 tcp
US 204.79.197.203:80 tcp
NL 88.221.144.179:80 tcp
NL 45.133.1.217:3335 best.supportredirect.net tcp
NL 45.133.1.217:3335 best.supportredirect.net tcp
US 8.8.8.8:53 best.supportredirect.net udp
NL 45.133.1.217:3335 best.supportredirect.net tcp
NL 45.133.1.217:3335 best.supportredirect.net tcp

Files

memory/1984-130-0x0000000000830000-0x0000000000880000-memory.dmp

memory/1984-131-0x0000000005860000-0x0000000005E04000-memory.dmp

memory/1984-132-0x00000000052B0000-0x0000000005342000-memory.dmp

memory/1984-133-0x0000000005350000-0x000000000535A000-memory.dmp

memory/1984-134-0x0000000005F10000-0x0000000005FAC000-memory.dmp

memory/2304-135-0x0000000000000000-mapping.dmp

memory/2304-136-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-138-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-141-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-143-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-142-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-140-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-147-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-150-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-151-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-152-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2304-158-0x0000000005090000-0x00000000050F6000-memory.dmp