hiverat | 9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1

General

Target

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
Size

304KB
MD5

9ba758b08ecfb820c6da64d7f954cbed
SHA1

1c3739294d3a6fa957d007098854e308c88e717d
SHA256

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1
SHA512

359f44fb16b00916ff16f3a5c8a71d493f1a030beca9c1b848e3885ad8aab00d15f7c77afea6d6375eafc30fa0e7914a9f6b2fe1ce6be0bc83e4819f1a88b9c6

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1880-55-0x00000000007B0000-0x00000000007FA000-memory.dmp	beds_protector

HiveRAT Payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-60-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-61-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-64-0x000000000044C90E-mapping.dmp	family_hiverat
behavioral1/memory/2020-66-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-68-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-70-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-72-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-77-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-80-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-81-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2020-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

Processes:

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

description	pid	process	target process
PID 1880 set thread context of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

pid	process
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

pid process

2020 9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

pid	process
2020	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

description	pid	process
Token: SeDebugPrivilege	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
Token: SeDebugPrivilege	2020	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

description	pid	process	target process
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020	1880	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe	9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
"C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
  "C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-54-0x0000000000E40000-0x0000000000E90000-memory.dmp

Filesize
320KB

Download
memory/1880-55-0x00000000007B0000-0x00000000007FA000-memory.dmp

Filesize
296KB

Download
memory/1880-56-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/2020-57-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-64-0x000000000044C90E-mapping.dmp

Download
memory/2020-66-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-68-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-70-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-77-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-80-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2020-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads