hiverat | 9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced

General

Target

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe
Size

300KB
MD5

1f8ef85018585c48b2abe7876f0d6e7e
SHA1

ddcc9c01e06187bed5c6c8b0ab7ca127428cf02c
SHA256

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced
SHA512

d3a118b0fe2266b943f84aa6809565abbf12a1b2c326760f97233ed9ca9af1bf7a494c7a5d4c1495237c75d859123a1bb1b4b419dc3f9e6a43525849e5ad43ef

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-54-0x00000000002A0000-0x00000000002F2000-memory.dmp	family_hiverat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

pid process

1956 9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

description pid process

Token: SeDebugPrivilege 1956 9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

pid	process
1956	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

description	pid	process
Token: SeDebugPrivilege	1956	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exeexplorer.exe

description	pid	process	target process
PID 1956 wrote to memory of 1176	1956	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe	explorer.exe
PID 1956 wrote to memory of 1176	1956	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe	explorer.exe
PID 1956 wrote to memory of 1176	1956	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe	explorer.exe
PID 1956 wrote to memory of 1176	1956	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe	explorer.exe
PID 1832 wrote to memory of 332	1832	explorer.exe	WScript.exe
PID 1832 wrote to memory of 332	1832	explorer.exe	WScript.exe
PID 1832 wrote to memory of 332	1832	explorer.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe
"C:\Users\Admin\AppData\Local\Temp\9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
  2⤵
  PID:1176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs

Filesize
559B

MD5
52b7140d35a38f6ae6e910a3c041cae2

SHA1
a398398aa69e4ba435ed318dc40f8a5397ccae03

SHA256
cc649cd28307555d7454e37e7ba4fa3d48041fd2650469a10f7f6cb415ed44cb

SHA512
9a25cd0c01557a7e7eb498b74c5cf327a52a9efa86ba98afe09cb37b410722c1b9dab1f999074c46bc70e066ed0442c38181cf48893bdd1ead1a007edd09a89a

Download Submit
memory/332-61-0x0000000000000000-mapping.dmp

Download
memory/1176-56-0x0000000000000000-mapping.dmp

Download
memory/1176-58-0x0000000070131000-0x0000000070133000-memory.dmp

Filesize
8KB

Download
memory/1832-59-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1956-54-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/1956-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads