hiverat | a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e

General

Target

a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
Size

328KB
MD5

e8068367588a8265d548f30a1f44e8a6
SHA1

29db35a706c1be8dd53569697ae8df40d824c56f
SHA256

a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e
SHA512

27c1bc885c17a5ed7cb9d7634172abf61256a44af90759a403fe16d4eb4d0f4a24269682cffacbedf0cf2e3efabbff03ff2757d0f40adf948b6c691702626de9

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/2032-55-0x00000000003E0000-0x000000000042E000-memory.dmp	beds_protector

HiveRAT Payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1488-60-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-61-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-64-0x000000000044C80E-mapping.dmp	family_hiverat
behavioral1/memory/1488-66-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-68-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-70-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-72-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-77-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-80-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-81-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1488-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

Processes:

a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYS.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYS.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

description	pid	process	target process
PID 2032 set thread context of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

pid	process
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

pid process

1488 a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

pid	process
1488	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exea89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

description	pid	process
Token: SeDebugPrivilege	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
Token: SeDebugPrivilege	1488	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

description	pid	process	target process
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
PID 2032 wrote to memory of 1488	2032	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe	a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe

C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
"C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
  "C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-66-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-80-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-57-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-64-0x000000000044C80E-mapping.dmp

Download
memory/1488-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-68-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-70-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-77-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2032-55-0x00000000003E0000-0x000000000042E000-memory.dmp

Filesize
312KB

Download
memory/2032-54-0x0000000000AD0000-0x0000000000B28000-memory.dmp

Filesize
352KB

Download
memory/2032-56-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads