hiverat | 1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd

General

Target

1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe
Size

364KB
MD5

9af2b3841221ccb778c03f8535853d59
SHA1

80fac73976ca4b7978d7ec8cb9a6962347cea18a
SHA256

1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd
SHA512

ae55d19c3cec653074dbf46ff313ee55d68297c6b6fd2ef9d24730cf7094f59a62621e6a59c5ca6ffce071bd57fd61d95ab32580d01b6a1c439b6cb7ce59cc04

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 15 IoCs

resource	yara_rule
behavioral1/memory/820-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-64-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-65-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-66-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-67-0x000000000044CA7E-mapping.dmp	family_hiverat
behavioral1/memory/820-69-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-75-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-74-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-76-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-80-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-83-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-84-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/820-85-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentialsq = "C:\\Users\\Admin\\AppData\\Roaming\\Avastr.exe"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1896	1564	WerFault.exe	26

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
820	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe
Token: SeDebugPrivilege	820	InstallUtil.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 1564 wrote to memory of 820	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	27
PID 820 wrote to memory of 1760	820	InstallUtil.exe	28
PID 820 wrote to memory of 1760	820	InstallUtil.exe	28
PID 820 wrote to memory of 1760	820	InstallUtil.exe	28
PID 820 wrote to memory of 1760	820	InstallUtil.exe	28
PID 1888 wrote to memory of 1924	1888	explorer.exe	30
PID 1888 wrote to memory of 1924	1888	explorer.exe	30
PID 1888 wrote to memory of 1924	1888	explorer.exe	30
PID 1564 wrote to memory of 1896	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	31
PID 1564 wrote to memory of 1896	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	31
PID 1564 wrote to memory of 1896	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	31
PID 1564 wrote to memory of 1896	1564	1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe	31

C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe
"C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
    3⤵
    PID:1760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1780
  2⤵
  - Program crash
  PID:1896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs

Filesize
522B

MD5
03fb16e9adeaba44143302d5f1059ab0

SHA1
42270b26cffd20e44bdf6b985ab52600b64a3fca

SHA256
058ef8fa720792e6e130fd1a80752bb06e695d3c4fc8fc75d0f27deb5049e761

SHA512
8dba4f8e94780a926200dce2d047cacd086f2bd1550bf0070583752d38828cb48dcfb45bb944095dca753ffb3d20570ee02df12d083a259f0a88973a6b4a6c21

Download Submit
memory/820-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-83-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-69-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-85-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-84-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-64-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-65-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-66-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-76-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-80-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-75-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/820-74-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1564-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1564-56-0x0000000000560000-0x000000000058E000-memory.dmp

Filesize
184KB

Download
memory/1564-59-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/1564-58-0x0000000000700000-0x0000000000718000-memory.dmp

Filesize
96KB

Download
memory/1564-54-0x0000000000350000-0x00000000003B2000-memory.dmp

Filesize
392KB

Download
memory/1564-57-0x0000000000590000-0x00000000005C0000-memory.dmp

Filesize
192KB

Download
memory/1760-94-0x000000006C5A1000-0x000000006C5A3000-memory.dmp

Filesize
8KB

Download
memory/1888-95-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing