hiverat | ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171

General

Target

ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
Size

783KB
MD5

af453e6dc8439e4856260859e7d68fc1
SHA1

031520acf4961f5938f0ceeb2f02e2656667cffb
SHA256

ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171
SHA512

434afe14ea03edb8988ca23785275a63f8398936811f0b86215c1f4b3f165fc0da352e01aa16206e6f28bf93dee4c0ec21882b08b35adedb55052d7fb54136e3

Score

10^/10

hiverat evasion persistence rat stealer trojan

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe\""	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

HiveRAT Payload 8 IoCs

resource	yara_rule
behavioral1/memory/1668-56-0x0000000000D90000-0x0000000000E56000-memory.dmp	family_hiverat
behavioral1/memory/1828-66-0x0000000000400000-0x000000000049A000-memory.dmp	family_hiverat
behavioral1/memory/1828-68-0x000000000044C1CE-mapping.dmp	family_hiverat
behavioral1/memory/1828-72-0x0000000000400000-0x000000000049A000-memory.dmp	family_hiverat
behavioral1/memory/1828-70-0x0000000000400000-0x000000000049A000-memory.dmp	family_hiverat
behavioral1/memory/1828-67-0x0000000000400000-0x000000000049A000-memory.dmp	family_hiverat
behavioral1/memory/1828-65-0x0000000000400000-0x000000000049A000-memory.dmp	family_hiverat
behavioral1/memory/1828-63-0x0000000000400000-0x000000000049A000-memory.dmp	family_hiverat

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SomethingNew = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uclui.exe"	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\RadeonCurrentUserInstall = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uclui.exe"	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RadeonInstaller = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uclui.exe"	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
824	1828	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1220	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1220	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	30
PID 1668 wrote to memory of 1220	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	30
PID 1668 wrote to memory of 1220	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	30
PID 1668 wrote to memory of 1220	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	30
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1668 wrote to memory of 1828	1668	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	31
PID 1828 wrote to memory of 824	1828	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	32
PID 1828 wrote to memory of 824	1828	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	32
PID 1828 wrote to memory of 824	1828	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	32
PID 1828 wrote to memory of 824	1828	ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe	32

C:\Users\Admin\AppData\Local\Temp\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
"C:\Users\Admin\AppData\Local\Temp\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
  "C:\Users\Admin\AppData\Local\Temp\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 528
    3⤵
    - Program crash
    PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-59-0x000000006EA70000-0x000000006F01B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-54-0x0000000001120000-0x00000000011E8000-memory.dmp

Filesize
800KB

Download
memory/1668-55-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download
memory/1668-56-0x0000000000D90000-0x0000000000E56000-memory.dmp

Filesize
792KB

Download
memory/1828-60-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1828-66-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1828-72-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1828-70-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1828-67-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1828-61-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1828-65-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1828-63-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads