Malware Analysis Report

2024-10-24 16:30

Sample ID 220511-c4txwsgeej
Target 1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd
SHA256 1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd
Tags
hiverat persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd

Threat Level: Known bad

The file 1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd was found to be: Known bad.

Malicious Activity Summary

hiverat persistence rat stealer

HiveRAT

HiveRAT Payload

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-11 02:38

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-11 02:38

Reported

2022-05-11 04:01

Platform

win10v2004-20220414-en

Max time kernel

62s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe

"C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
IE 20.50.73.9:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp

Files

memory/1844-130-0x0000000000310000-0x0000000000372000-memory.dmp

memory/1844-131-0x0000000004CF0000-0x0000000004D8C000-memory.dmp

memory/1844-132-0x0000000009E10000-0x000000000A3B4000-memory.dmp

memory/1844-133-0x0000000009940000-0x00000000099D2000-memory.dmp

memory/1844-134-0x00000000060D0000-0x00000000060F2000-memory.dmp

memory/4092-135-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-11 02:38

Reported

2022-05-11 04:00

Platform

win7-20220414-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentialsq = "C:\\Users\\Admin\\AppData\\Roaming\\Avastr.exe" C:\Windows\System32\WScript.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1564 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 820 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 820 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 820 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 820 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\explorer.exe
PID 1888 wrote to memory of 1924 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1888 wrote to memory of 1924 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1888 wrote to memory of 1924 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1564 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1564 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1564 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1564 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe

"C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1780

Network

Country Destination Domain Proto
US 8.8.8.8:53 john0071.duckdns.org udp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
US 8.8.8.8:53 www.ecb.int udp
DE 185.5.82.138:80 www.ecb.int tcp
DE 185.5.82.138:443 www.ecb.int tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
US 8.8.8.8:53 john0071.duckdns.org udp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp
PK 119.154.160.131:1515 john0071.duckdns.org tcp

Files

memory/1564-54-0x0000000000350000-0x00000000003B2000-memory.dmp

memory/1564-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

memory/1564-56-0x0000000000560000-0x000000000058E000-memory.dmp

memory/1564-57-0x0000000000590000-0x00000000005C0000-memory.dmp

memory/1564-58-0x0000000000700000-0x0000000000718000-memory.dmp

memory/1564-59-0x0000000000730000-0x0000000000736000-memory.dmp

memory/820-60-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-61-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-63-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-64-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-65-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-66-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-67-0x000000000044CA7E-mapping.dmp

memory/820-69-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-71-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-73-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-75-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-74-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-76-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-80-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-83-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-84-0x0000000000400000-0x0000000000454000-memory.dmp

memory/820-85-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1760-92-0x0000000000000000-mapping.dmp

memory/1760-94-0x000000006C5A1000-0x000000006C5A3000-memory.dmp

memory/1888-95-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

C:\Users\Admin\AppData\Local\Execution.vbs

MD5 03fb16e9adeaba44143302d5f1059ab0
SHA1 42270b26cffd20e44bdf6b985ab52600b64a3fca
SHA256 058ef8fa720792e6e130fd1a80752bb06e695d3c4fc8fc75d0f27deb5049e761
SHA512 8dba4f8e94780a926200dce2d047cacd086f2bd1550bf0070583752d38828cb48dcfb45bb944095dca753ffb3d20570ee02df12d083a259f0a88973a6b4a6c21

memory/1924-97-0x0000000000000000-mapping.dmp

memory/1896-98-0x0000000000000000-mapping.dmp