Overview

overview

10

Static

static

Receipt Fo...df.exe

windows7_x64

10

Receipt Fo...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    164e898bee6dd90047df878226e298bcef8f9657c9e345d0ec22c00074866272

  • Size

    492KB

  • Sample

    220521-by7fcsfgfl

  • MD5

    8f80da322fee60f5f6176ef25ed5e1ce

  • SHA1

    432f14ceae907fe120f8b81b54fe0e3114bcfff9

  • SHA256

    164e898bee6dd90047df878226e298bcef8f9657c9e345d0ec22c00074866272

  • SHA512

    5570c1ef464a3006ad1df8e28f3fe95e60b2f0e4375c9bb34a9c24a349e20164dc3233dab33c4f80588e17a7a2e8c7b55b40e4ea403d695dc9f4feb00a595197

Score
10/10
hiveratpersistenceratstealer

Malware Config

Targets

    • Target

      Receipt For Shipment - 202008DHL_pdf.exe

    • Size

      439KB

    • MD5

      ddb7bbd558fcd125902849965c808037

    • SHA1

      1709dd13064045c763fef647324ea18f6548a93e

    • SHA256

      01a1c9bf023cdb265ad67a2a45db38fe25e9a23fd4bdb75a9e8f12c7b79eec8f

    • SHA512

      480450fc131ac2a97be46d22f47022dc23b9aff807825be4e333f5638f0a86c20a24f86af9e72f06af4d33456316b862191c164fcb01920c3c97b0577dbf757e

    Score
    10/10
    hiveratpersistenceratstealer

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

      ratstealerhiverat

    • HiveRAT Payload

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks