hiverat | 4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd

General

Target

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
Size

336KB
MD5

91e106a5e590b4f24d0ebc1968ea3fe5
SHA1

f76cfc548c96e0715b8927e7da4a6fc3048880c2
SHA256

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd
SHA512

b2504d1d065b9b046e8afd35c2d5999f5f1dddb00995c1157ff3131b49c1b7c65cf3110f9b50ef306f9b9a31fd676e7b5331b82adb5b3c542d9a43d272e4bf1d

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/452-136-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-138-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-140-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-141-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-142-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-143-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-147-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-150-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-151-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/452-152-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

Processes:

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

description	pid	process	target process
PID 792 set thread context of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

pid	process
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

pid process

452 4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

pid	process
452	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

description	pid	process
Token: SeDebugPrivilege	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
Token: SeDebugPrivilege	452	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

description	pid	process	target process
PID 792 wrote to memory of 3936	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 3936	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 3936	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
PID 792 wrote to memory of 452	792	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe	4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe

C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
"C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
  "C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
  2⤵
  PID:3936
- C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
  "C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/452-147-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-150-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-141-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-142-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-140-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-135-0x0000000000000000-mapping.dmp

Download
memory/452-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-138-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-159-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/452-152-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/452-143-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/792-130-0x0000000000810000-0x0000000000866000-memory.dmp

Filesize
344KB

Download
memory/792-131-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/792-133-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/792-132-0x0000000005330000-0x00000000053C2000-memory.dmp

Filesize
584KB

Download
memory/792-158-0x0000000005550000-0x000000000555A000-memory.dmp

Filesize
40KB

Download
memory/3936-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads