hiverat | f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa

General

Target

f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
Size

658KB
MD5

640951b3332d0b24cd9891c936f92de5
SHA1

2acf005cada97d7fe4aded561c69e631b3afb5b8
SHA256

f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa
SHA512

09f339ebbc6f2505550f43fa9d12fc5329c69a52ae343c78d629f864389787c9a35b3b6a81eee375d4f2fce0b76903cfa1b3fed98b9e88588720e38a1ae3e15b

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/920-136-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-138-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-140-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-141-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-143-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-142-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-147-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-150-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-151-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/920-152-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

Processes:

f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SysApp.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SysApp.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

description	pid	process	target process
PID 4060 set thread context of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

pid	process
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

pid process

920 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

pid	process
920	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exef600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

description	pid	process
Token: SeDebugPrivilege	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
Token: SeDebugPrivilege	920	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

description	pid	process	target process
PID 4060 wrote to memory of 4348	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 4348	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 4348	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
PID 4060 wrote to memory of 920	4060	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe	f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe

C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
"C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
  "C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe"
  2⤵
  PID:4348
- C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
  "C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/920-147-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-150-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-141-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-143-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-140-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-135-0x0000000000000000-mapping.dmp

Download
memory/920-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-138-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-159-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/920-152-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/920-142-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4060-130-0x00000000003A0000-0x000000000044A000-memory.dmp

Filesize
680KB

Download
memory/4060-131-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/4060-133-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/4060-132-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/4060-158-0x0000000005060000-0x000000000506A000-memory.dmp

Filesize
40KB

Download
memory/4348-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads