Overview

overview

10

Static

static

GAMESPOR.exe

windows7_x64

10

GAMESPOR.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4037e5b24219d7adaa936d19be9d0d7b2c42385ff8242e011a9aa02094d24454

  • Size

    1.2MB

  • Sample

    220521-dm1vjsfhh3

  • MD5

    f1db0a2cf6c9d7698bad49f9bd619525

  • SHA1

    8f395ce41c719a572ac0070dcc52d1900af6667b

  • SHA256

    4037e5b24219d7adaa936d19be9d0d7b2c42385ff8242e011a9aa02094d24454

  • SHA512

    84cc6dd33fad952ef5801309d9d9fd9786ac7933fc78035538565f69a85dc5f4a4098b03e5db35d0a774b28986375d07744f010a1c5de317425d5357f28368f3

Score
10/10
hiveratratstealer

Malware Config

Targets

    • Target

      GAMESPOR.EXE

    • Size

      719KB

    • MD5

      5d6b01b87783fd49b95ee6570c69ad19

    • SHA1

      de96bc61f52d5d7f790d84ab6ad54ae178211c2d

    • SHA256

      a25220d36761cb66dd0802e6bc007a963f4d6caea2f1cba85b078171766d6311

    • SHA512

      afb9a8b288f5e4775949968d531358bf507e0a94a74aa29262cee2b6cee25af13453131b1236e96d55a2387d44aefb8bf1686344d4ae336bea55aa906a62c720

    Score
    10/10
    hiveratratstealer

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

      ratstealerhiverat

    • HiveRAT Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks