General

  • Target

    deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62

  • Size

    7.6MB

  • Sample

    220516-xfh6psehfj

  • MD5

    efc5d47f6d5aa4dbd22cd109aa13ac30

  • SHA1

    6427617947cca1dc78c5091dcb2c051ab8d5b949

  • SHA256

    deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62

  • SHA512

    0bf945e9f5f84ed82df9d6c160fb495b0f0e121f86e03ee3cd7acad1e0059d914fffde6ea8e3322015aa184792bbd0f9e9f85697ef9a1d06e172b693f839af29

Malware Config

Targets

    • Target

      deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62

    • Size

      7.6MB

    • MD5

      efc5d47f6d5aa4dbd22cd109aa13ac30

    • SHA1

      6427617947cca1dc78c5091dcb2c051ab8d5b949

    • SHA256

      deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62

    • SHA512

      0bf945e9f5f84ed82df9d6c160fb495b0f0e121f86e03ee3cd7acad1e0059d914fffde6ea8e3322015aa184792bbd0f9e9f85697ef9a1d06e172b693f839af29

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • HiveRAT Payload

    • Looks for VirtualBox Guest Additions in registry

    • XMRig Miner Payload

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks