hiverat | 9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced

General

Target

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe
Size

300KB
MD5

1f8ef85018585c48b2abe7876f0d6e7e
SHA1

ddcc9c01e06187bed5c6c8b0ab7ca127428cf02c
SHA256

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced
SHA512

d3a118b0fe2266b943f84aa6809565abbf12a1b2c326760f97233ed9ca9af1bf7a494c7a5d4c1495237c75d859123a1bb1b4b419dc3f9e6a43525849e5ad43ef

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2356-130-0x0000000000660000-0x00000000006B2000-memory.dmp	family_hiverat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings explorer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

pid process

2356 9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

description pid process

Token: SeDebugPrivilege 2356 9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	explorer.exe

pid	process
2356	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

description	pid	process
Token: SeDebugPrivilege	2356	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exeexplorer.exe

description	pid	process	target process
PID 2356 wrote to memory of 4312	2356	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe	explorer.exe
PID 2356 wrote to memory of 4312	2356	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe	explorer.exe
PID 2356 wrote to memory of 4312	2356	9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe	explorer.exe
PID 4364 wrote to memory of 4720	4364	explorer.exe	WScript.exe
PID 4364 wrote to memory of 4720	4364	explorer.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe
"C:\Users\Admin\AppData\Local\Temp\9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
  2⤵
  PID:4312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs

Filesize
559B

MD5
52b7140d35a38f6ae6e910a3c041cae2

SHA1
a398398aa69e4ba435ed318dc40f8a5397ccae03

SHA256
cc649cd28307555d7454e37e7ba4fa3d48041fd2650469a10f7f6cb415ed44cb

SHA512
9a25cd0c01557a7e7eb498b74c5cf327a52a9efa86ba98afe09cb37b410722c1b9dab1f999074c46bc70e066ed0442c38181cf48893bdd1ead1a007edd09a89a

Download Submit
memory/2356-130-0x0000000000660000-0x00000000006B2000-memory.dmp

Filesize
328KB

Download
memory/2356-131-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/2356-132-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/2356-133-0x0000000002BF0000-0x0000000002C56000-memory.dmp

Filesize
408KB

Download
memory/2356-134-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/4312-135-0x0000000000000000-mapping.dmp

Download
memory/4720-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads