hiverat | deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62

General

Target

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Size

7.6MB
MD5

efc5d47f6d5aa4dbd22cd109aa13ac30
SHA1

6427617947cca1dc78c5091dcb2c051ab8d5b949
SHA256

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62
SHA512

0bf945e9f5f84ed82df9d6c160fb495b0f0e121f86e03ee3cd7acad1e0059d914fffde6ea8e3322015aa184792bbd0f9e9f85697ef9a1d06e172b693f839af29

Score

10^/10

hiverat xmrig evasion miner rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

HiveRAT Payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/664-61-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-62-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-63-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-64-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-65-0x0000000000A212DE-mapping.dmp	family_hiverat
behavioral1/memory/664-67-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-69-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-72-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-73-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-74-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-75-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-79-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-83-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-84-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral1/memory/664-82-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2020-98-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral1/memory/2020-100-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral1/memory/2020-102-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral1/memory/2020-103-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral1/memory/2020-104-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral1/memory/2020-106-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral1/memory/2020-110-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral1/memory/2020-111-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exedeb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	pid	process	target process
PID 1640 set thread context of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 set thread context of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2036 schtasks.exe

pid	process
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

pid	process
1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exedeb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	pid	process
Token: SeDebugPrivilege	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Token: SeDebugPrivilege	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exedeb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
"C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iuvFUtslgAL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AE2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
  "{path}"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
    "C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe" -a cryptonight --url=http://xmrpool.eu:5555/ --userpass=44AZAavMaLRjQzY6RS8mXwUBKGoPa62Yb8gVx89rZ1bHN1uqKvqW9Q13k86Pf4ve1a37XUa23btkeJckxSfKfnJqBd6fAiM:X --max-cpu-usage=65
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
    3⤵
    PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution5.vbs

Filesize
563B

MD5
7dff540cd392d0b313d4ed0d55fafdef

SHA1
2da23e76c1afeb89396f85bfa0c7be638497c4f7

SHA256
eb5134b02d9aea8fabad254943009a3c837410b1693d6dee7af1dcb22fbccb45

SHA512
c613ec4e7d99640681be3a7ccbec63b6070dc974307889ba86911967576b34b5bb61e6ab188b85344f0a2dd24c0468ae141ade1a3af6efedec196f846b0a71ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AE2.tmp

Filesize
1KB

MD5
4c4775e92dc03a506d67460dab264bab

SHA1
cd090e238b8d62b756ac5d3a677b9cd814e6da0b

SHA256
a96a1ff7a4b1d4a8381f39e3950b26a35bc3ba1af0ecbf2714c5de0dc0f7450c

SHA512
39e213498c21a3ae9efb17c7ce613d0e2091d2f2f3921ff9988515781e832acdcde84ec156db0675ee90177fc4f00aecf41a54e8e20f65d65d6aeea5921fcfff

Download Submit
memory/664-83-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-59-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-58-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-84-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-61-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-82-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-63-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-64-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-65-0x0000000000A212DE-mapping.dmp

Download
memory/664-67-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-69-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-72-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-73-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-74-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-75-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-79-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/664-90-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/664-62-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/696-112-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/2020-94-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-104-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-96-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-98-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-92-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-103-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-91-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-100-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-107-0x0000000000401500-mapping.dmp

Download
memory/2020-106-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-110-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-111-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2020-102-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1640 wrote to memory of 2036	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	schtasks.exe
PID 1640 wrote to memory of 2036	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	schtasks.exe
PID 1640 wrote to memory of 2036	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	schtasks.exe
PID 1640 wrote to memory of 2036	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	schtasks.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 1640 wrote to memory of 664	1640	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 2020	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 664 wrote to memory of 696	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	WScript.exe
PID 664 wrote to memory of 696	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	WScript.exe
PID 664 wrote to memory of 696	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	WScript.exe
PID 664 wrote to memory of 696	664	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	WScript.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads