hiverat | 4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd

General

Target

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
Size

336KB
MD5

91e106a5e590b4f24d0ebc1968ea3fe5
SHA1

f76cfc548c96e0715b8927e7da4a6fc3048880c2
SHA256

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd
SHA512

b2504d1d065b9b046e8afd35c2d5999f5f1dddb00995c1157ff3131b49c1b7c65cf3110f9b50ef306f9b9a31fd676e7b5331b82adb5b3c542d9a43d272e4bf1d

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 15 IoCs

resource	yara_rule
behavioral1/memory/1208-60-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-61-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-64-0x000000000044C93E-mapping.dmp	family_hiverat
behavioral1/memory/1208-66-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-68-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-70-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-72-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-77-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-80-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1208-81-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
Token: SeDebugPrivilege	1208	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28
PID 936 wrote to memory of 1208	936	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	28

C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
"C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
  "C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-54-0x0000000000C50000-0x0000000000CA6000-memory.dmp

Filesize
344KB

Download
memory/936-55-0x0000000000BA0000-0x0000000000BDC000-memory.dmp

Filesize
240KB

Download
memory/936-56-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1208-57-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-66-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-68-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-70-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-77-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-80-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1208-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing