hiverat | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

General

Target

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
Size

584KB
MD5

d21695b6d9bdd7ed0e35a0c70ce38205
SHA1

33522e95507f48e68a981b1097bcbe0354e31c1a
SHA256

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c
SHA512

0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4964-136-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/4964-139-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Executes dropped EXE 1 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

pid process

4964 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

pid	process
4964	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Drops startup file 2 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description	pid	process	target process
PID 5020 set thread context of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4876 4964 WerFault.exe 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

pid	pid_target	process	target process
4876	4964	WerFault.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

pid	process
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description pid process

Token: SeDebugPrivilege 5020 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description	pid	process
Token: SeDebugPrivilege	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

description	pid	process	target process
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
PID 5020 wrote to memory of 4964	5020	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe	15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
"C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe
  "C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe"
  2⤵
  - Executes dropped EXE
  PID:4964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 764
    3⤵
    - Program crash
    PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4964 -ip 4964
1⤵
PID:3584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
memory/4964-135-0x0000000000000000-mapping.dmp

Download
memory/4964-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4964-139-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5020-130-0x0000000000FE0000-0x0000000001078000-memory.dmp

Filesize
608KB

Download
memory/5020-131-0x00000000060D0000-0x0000000006674000-memory.dmp

Filesize
5.6MB

Download
memory/5020-132-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/5020-133-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/5020-134-0x0000000006680000-0x000000000671C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads