Overview

overview

10

Static

static

87f368326e...1d.exe

windows7_x64

10

87f368326e...1d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    190s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe

  • Size

    289KB

  • MD5

    77b680976090d7a835d4b8fe78261bac

  • SHA1

    a9362e3123fe9dd18bc252ba9c2620265227a63b

  • SHA256

    87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d

  • SHA512

    51850a8e64e2133caf4f558ac9bbaef62ef7b2291f8d7d7b0dc4fa0bf8cc309caf48d898e0bbc9e31dbd90d7c46616242c7f4fb88f6422fe918e30cdcc8cfa3e

Score
10/10
hiveratratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 10 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe
    "C:\Users\Admin\AppData\Local\Temp\87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe
      "C:\Users\Admin\AppData\Local\Temp\87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:5092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3172-130-0x0000000000DD0000-0x0000000000E1E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3172-131-0x0000000005E30000-0x00000000063D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3172-132-0x00000000057B0000-0x0000000005842000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3172-133-0x0000000005A10000-0x0000000005AAC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3172-142-0x00000000059D0000-0x00000000059DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5092-140-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-137-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-139-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-135-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-134-0x0000000000000000-mapping.dmp

    Download

  • memory/5092-141-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-143-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-147-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-150-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-152-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-151-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5092-158-0x0000000005810000-0x0000000005876000-memory.dmp

    Filesize

    408KB

    Download