Overview

overview

10

Static

static

IMG_INTE.exe

windows7_x64

10

IMG_INTE.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ad19a319f0d4a6be92f09a8525bcd769dfebfc1bbb79ecb2fe278ed5364e568b

  • Size

    1.2MB

  • Sample

    220521-by6ttscga4

  • MD5

    d49fbc9dd708b8775fb0d392622f1c24

  • SHA1

    435ff1e2ed3ab3c670e1692a6037dad9ffea4d70

  • SHA256

    ad19a319f0d4a6be92f09a8525bcd769dfebfc1bbb79ecb2fe278ed5364e568b

  • SHA512

    464de261c6bd8bea1f8e48d8762fdda302918410c6df0495acab932dc2bf5e40a2e90967b0818af2a633aaa9725c8562793627c0286b19b515f0686944f07d31

Score
10/10
hiveratagilenetpersistenceratstealer

Malware Config

Targets

    • Target

      IMG_INTE.EXE

    • Size

      713KB

    • MD5

      af83e45292be69defcde71a4ff87ed5e

    • SHA1

      d6fd4bd24923e2ba57d86117fd27d7248e84d3e1

    • SHA256

      bf0d1bf23351a82eddca116c85801b4d1bbe328933e729c735226f9563432544

    • SHA512

      08304dbe701ba59acf10f90ad5f3bfa9e0123c7caf9596659de139302c185d3fa2238b26bac6bd7fa64f92de8d57bf07766b2ba599b2137a88e4e42c5a4f6c03

    Score
    10/10
    hiveratagilenetpersistenceratstealer

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

      ratstealerhiverat

    • HiveRAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks