hiverat | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

General

Target

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
Size

584KB
MD5

d21695b6d9bdd7ed0e35a0c70ce38205
SHA1

33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512

0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-61-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-65-0x000000000044CB3E-mapping.dmp	family_hiverat
behavioral1/memory/2020-64-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-68-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-70-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Executes dropped EXE 1 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

pid process

2020 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

pid	process
2020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Drops startup file 2 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Loads dropped DLL 6 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exeWerFault.exe

pid	process
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe
1236	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description	pid	process	target process
PID 2000 set thread context of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1236 2020 WerFault.exe 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

pid	pid_target	process	target process
1236	2020	WerFault.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

pid	process
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description pid process

Token: SeDebugPrivilege 2000 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description	pid	process
Token: SeDebugPrivilege	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description	pid	process	target process
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2000 wrote to memory of 2020	2000	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 2020 wrote to memory of 1236	2020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	WerFault.exe
PID 2020 wrote to memory of 1236	2020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	WerFault.exe
PID 2020 wrote to memory of 1236	2020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	WerFault.exe
PID 2020 wrote to memory of 1236	2020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
"C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
  "C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 532
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
memory/1236-71-0x0000000000000000-mapping.dmp

Download
memory/2000-56-0x0000000001250000-0x00000000012E2000-memory.dmp

Filesize
584KB

Download
memory/2000-54-0x0000000001300000-0x0000000001398000-memory.dmp

Filesize
608KB

Download
memory/2000-55-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download
memory/2020-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-68-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-70-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-64-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-65-0x000000000044CB3E-mapping.dmp

Download
memory/2020-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-59-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads