Overview

overview

10

Static

static

93eb342b1d...63.exe

windows7_x64

10

93eb342b1d...63.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-05-2022 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe

  • Size

    440KB

  • MD5

    18173a14dda8acb4faec79500b81083f

  • SHA1

    0a5324267c4d4befdd89add3c1d8d9c467a85902

  • SHA256

    93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063

  • SHA512

    aa3fc2bf78430ead7177592c58dccaa5fd4ad001e19d195d5fd387b791414c9aad39fb8ea7aff5c303a12f37fc4a94f094de18f7de8119deb890814526c5187a

Score
10/10
hiveratpersistenceratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 15 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe
    "C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
        3⤵
          PID:1696
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
        2⤵
        • Adds Run key to start application
        PID:444

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Execution.vbs
      Filesize

      524B

      MD5

      e3019120295b6178f061cfe4baeed5ba

      SHA1

      72009d5905db5431bc089533ebb76021cbaa611c

      SHA256

      e35f85ac0d9275bf3750e08b9c46229a90afc486827f6284d0e82fba969bc88b

      SHA512

      c0eac0bbfbca877fb072d5526a30f87be4bb1be5bee35a4866052e406f953ff764da001a671a8218126c55893a61bf7546c15b6db2bbd3917f78b7f44fbb73b4

      Download Submit

    • memory/444-96-0x0000000000000000-mapping.dmp

      Download

    • memory/1472-68-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-60-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-72-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-59-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-73-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-62-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-63-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-74-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-65-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-66-0x000000000044C95E-mapping.dmp

      Download

    • memory/1472-83-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-70-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-84-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-82-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-64-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-75-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1472-79-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1672-57-0x00000000002C0000-0x00000000002E4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1672-58-0x0000000000510000-0x0000000000522000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1672-54-0x0000000000EC0000-0x0000000000F34000-memory.dmp

      Filesize

      464KB

      Download

    • memory/1672-56-0x0000000000210000-0x0000000000230000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1672-55-0x00000000753B1000-0x00000000753B3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1696-91-0x0000000000000000-mapping.dmp

      Download

    • memory/1696-93-0x000000006F991000-0x000000006F993000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1712-94-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

      Filesize

      8KB

      Download