Malware Analysis Report

2024-10-24 16:30

Sample ID 220503-y83w9aeegp
Target 93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063
SHA256 93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063
Tags
hiverat persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063

Threat Level: Known bad

The file 93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063 was found to be: Known bad.

Malicious Activity Summary

hiverat persistence rat stealer

HiveRAT

HiveRAT Payload

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-03 20:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-03 20:28

Reported

2022-05-03 20:30

Platform

win7-20220414-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\AvastEssentialse = "C:\\Users\\Admin\\AppData\\Roaming\\Avastae.exe" C:\Windows\System32\WScript.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1672 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1472 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 1472 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 1472 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 1472 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 1712 wrote to memory of 444 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 444 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 444 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe

"C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 yosire.duckdns.org udp
US 8.8.8.8:53 yosire.duckdns.org udp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
US 8.8.8.8:53 yosire.duckdns.org udp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp

Files

memory/1672-54-0x0000000000EC0000-0x0000000000F34000-memory.dmp

memory/1672-55-0x00000000753B1000-0x00000000753B3000-memory.dmp

memory/1672-56-0x0000000000210000-0x0000000000230000-memory.dmp

memory/1672-57-0x00000000002C0000-0x00000000002E4000-memory.dmp

memory/1672-58-0x0000000000510000-0x0000000000522000-memory.dmp

memory/1472-59-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-60-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-62-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-63-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-64-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-65-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-66-0x000000000044C95E-mapping.dmp

memory/1472-68-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-72-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-73-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-74-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-75-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-79-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-82-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-84-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1472-83-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1696-91-0x0000000000000000-mapping.dmp

memory/1696-93-0x000000006F991000-0x000000006F993000-memory.dmp

memory/1712-94-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

C:\Users\Admin\AppData\Local\Execution.vbs

MD5 e3019120295b6178f061cfe4baeed5ba
SHA1 72009d5905db5431bc089533ebb76021cbaa611c
SHA256 e35f85ac0d9275bf3750e08b9c46229a90afc486827f6284d0e82fba969bc88b
SHA512 c0eac0bbfbca877fb072d5526a30f87be4bb1be5bee35a4866052e406f953ff764da001a671a8218126c55893a61bf7546c15b6db2bbd3917f78b7f44fbb73b4

memory/444-96-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-03 20:28

Reported

2022-05-03 20:30

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvastEssentialse = "C:\\Users\\Admin\\AppData\\Roaming\\Avastae.exe" C:\Windows\System32\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4908 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4504 wrote to memory of 824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 4504 wrote to memory of 824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 4504 wrote to memory of 824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 1672 wrote to memory of 2488 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1672 wrote to memory of 2488 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe

"C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"

Network

Country Destination Domain Proto
NL 20.190.160.71:443 tcp
US 93.184.220.29:80 tcp
NL 20.190.160.4:443 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.8.8.8:53 yosire.duckdns.org udp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
NL 20.190.160.129:443 tcp
IE 13.69.239.72:443 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
NL 20.190.160.73:443 tcp
US 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
NL 20.190.160.132:443 tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
NL 20.190.160.136:443 tcp
US 8.8.8.8:53 yosire.duckdns.org udp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp
PK 182.188.140.166:1515 yosire.duckdns.org tcp

Files

memory/4908-130-0x0000000000500000-0x0000000000574000-memory.dmp

memory/4908-131-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

memory/4908-132-0x0000000007D00000-0x00000000082A4000-memory.dmp

memory/4908-133-0x0000000007830000-0x00000000078C2000-memory.dmp

memory/4908-134-0x0000000007CC0000-0x0000000007CE2000-memory.dmp

memory/4504-135-0x0000000000000000-mapping.dmp

memory/4504-136-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-138-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-141-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-140-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-142-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-143-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-147-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-150-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-152-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-151-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4504-158-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/824-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Execution.vbs

MD5 e3019120295b6178f061cfe4baeed5ba
SHA1 72009d5905db5431bc089533ebb76021cbaa611c
SHA256 e35f85ac0d9275bf3750e08b9c46229a90afc486827f6284d0e82fba969bc88b
SHA512 c0eac0bbfbca877fb072d5526a30f87be4bb1be5bee35a4866052e406f953ff764da001a671a8218126c55893a61bf7546c15b6db2bbd3917f78b7f44fbb73b4

memory/2488-161-0x0000000000000000-mapping.dmp