Malware Analysis Report

2024-10-24 16:30

Sample ID 220420-cmk9esdbem
Target dacb1f83bda72e3242b9f541134724ff871ddbb671afb0698d357fafadf43ef0
SHA256 dacb1f83bda72e3242b9f541134724ff871ddbb671afb0698d357fafadf43ef0
Tags
hiverat collection rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dacb1f83bda72e3242b9f541134724ff871ddbb671afb0698d357fafadf43ef0

Threat Level: Known bad

The file dacb1f83bda72e3242b9f541134724ff871ddbb671afb0698d357fafadf43ef0 was found to be: Known bad.

Malicious Activity Summary

hiverat collection rat stealer

HiveRAT

HiveRAT Payload

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-20 02:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-20 02:11

Reported

2022-04-20 02:15

Platform

win7-20220414-en

Max time kernel

152s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 888 set thread context of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 888 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 888 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 888 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 888 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 888 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJRcDllTRTGck" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mail.unalanguvenlik.com udp
TR 5.2.85.31:587 mail.unalanguvenlik.com tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp

Files

memory/888-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

memory/888-55-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/1332-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp

MD5 b1dd2d4ec04b955410498da31d3a0e18
SHA1 6996b8973b0a1d12763b334b157b434a9162e7a2
SHA256 4da63c1ff0a016eb7530d6ed1a14a0037853611e5648f1aee83251b6f37d69eb
SHA512 94c4ca175168d362d6c9d0c0f1db3aef2eaa14d824209f31da60911b5bac1ab00a93459c839560c2400c868036b847e756d455b049b3f74512b94296ecd5129e

memory/2016-58-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-59-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-61-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-62-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-63-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-64-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-65-0x000000000044CAFE-mapping.dmp

memory/2016-67-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-69-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-72-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-73-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-74-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-75-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-79-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-82-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-83-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-84-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2016-90-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2016-91-0x0000000002106000-0x0000000002117000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-20 02:11

Reported

2022-04-20 02:14

Platform

win10v2004-20220414-en

Max time kernel

155s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4540 set thread context of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4540 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJRcDllTRTGck" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD107.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
US 52.182.141.63:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
DE 79.134.225.37:30490 tcp
US 8.8.8.8:53 mail.unalanguvenlik.com udp
TR 5.2.85.31:587 mail.unalanguvenlik.com tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp

Files

memory/4540-130-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/1424-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD107.tmp

MD5 100b819ca9f5a6565c7e44f3da76c1fc
SHA1 0458692abc886d7a05093dd6e55d22c0b72a4eb5
SHA256 c027dd44af02222cca3d300cd748d63d086f370306fbcdeacf4bf066e79032bc
SHA512 f35d9585dd86c9840c6a833d3deda55bafd9c5738ca2d017fc24a833ecbfbe60c022a968069dd41d8cd1b6a2d29aaf9d38094bea187dcdb8a651c995381c573b

memory/1292-133-0x0000000000000000-mapping.dmp

memory/3972-134-0x0000000000000000-mapping.dmp

memory/1104-135-0x0000000000000000-mapping.dmp

memory/1104-136-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-138-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-139-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/1104-141-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-142-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-143-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-144-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-148-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-151-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-153-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1104-152-0x0000000000400000-0x0000000000454000-memory.dmp