hiverat | 164e898bee6dd90047df878226e298bcef8f9657c9e345d0ec22c00074866272

General

Target

Receipt For Shipment - 202008DHL_pdf.exe
Size

439KB
MD5

ddb7bbd558fcd125902849965c808037
SHA1

1709dd13064045c763fef647324ea18f6548a93e
SHA256

01a1c9bf023cdb265ad67a2a45db38fe25e9a23fd4bdb75a9e8f12c7b79eec8f
SHA512

480450fc131ac2a97be46d22f47022dc23b9aff807825be4e333f5638f0a86c20a24f86af9e72f06af4d33456316b862191c164fcb01920c3c97b0577dbf757e

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 15 IoCs

resource	yara_rule
behavioral1/memory/1224-60-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-61-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-62-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-63-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-64-0x000000000044C8CE-mapping.dmp	family_hiverat
behavioral1/memory/1224-66-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-68-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-70-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-71-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-73-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-72-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-77-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-80-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1224-81-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\msteams = "\"C:\\Users\\Admin\\AppData\\Roaming\\msteams.exe\""	Receipt For Shipment - 202008DHL_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe
1776	Receipt For Shipment - 202008DHL_pdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1224	Receipt For Shipment - 202008DHL_pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	Receipt For Shipment - 202008DHL_pdf.exe
Token: SeDebugPrivilege	1224	Receipt For Shipment - 202008DHL_pdf.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28
PID 1776 wrote to memory of 1224	1776	Receipt For Shipment - 202008DHL_pdf.exe	28

C:\Users\Admin\AppData\Local\Temp\Receipt For Shipment - 202008DHL_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt For Shipment - 202008DHL_pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\Receipt For Shipment - 202008DHL_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt For Shipment - 202008DHL_pdf.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1224-66-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-80-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-57-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-61-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-68-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-70-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-73-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1224-77-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1776-55-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1776-54-0x0000000000E50000-0x0000000000EC2000-memory.dmp

Filesize
456KB

Download
memory/1776-56-0x0000000000DB0000-0x0000000000E1C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing