hiverat | bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7

General

Target

bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe
Size

444KB
MD5

3345d81272159ef8f2e837c836da04e3
SHA1

c073b1f55f53472efa4b3e0afc2399d0ec73eead
SHA256

bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7
SHA512

2de3e07219c4f4f7fd2f0787ca626a9a33f56e01e936f7a44275984c3021e73634d5cf30e250c7a632059bbfecdc8049316b959898a372ae3c598e5252fdcef4

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1648-54-0x0000000000020000-0x000000000009A000-memory.dmp	family_hiverat

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\antvirus = "C:\\Users\\Admin\\AppData\\Roaming \\ windefender.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\antvirus = "C:\\Users\\Admin\\AppData\\Roaming\\windefender.exe"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1740	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	27
PID 1648 wrote to memory of 1740	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	27
PID 1648 wrote to memory of 1740	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	27
PID 1648 wrote to memory of 1740	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	27
PID 1648 wrote to memory of 2036	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	28
PID 1648 wrote to memory of 2036	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	28
PID 1648 wrote to memory of 2036	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	28
PID 1648 wrote to memory of 2036	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	28
PID 1648 wrote to memory of 2012	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	29
PID 1648 wrote to memory of 2012	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	29
PID 1648 wrote to memory of 2012	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	29
PID 1648 wrote to memory of 2012	1648	bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe	29
PID 748 wrote to memory of 992	748	explorer.exe	33
PID 748 wrote to memory of 992	748	explorer.exe	33
PID 748 wrote to memory of 992	748	explorer.exe	33

C:\Users\Admin\AppData\Local\Temp\bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe
"C:\Users\Admin\AppData\Local\Temp\bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
  2⤵
  PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
  2⤵
  - Adds Run key to start application
  PID:2036
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
  2⤵
  PID:2012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs

Filesize
569B

MD5
743df8248e54fd91856951188e3094f2

SHA1
eeb2d9900d684128a8f38cb5256ec30879a8058d

SHA256
7e6a03abee4ed68604a0b5f0c5c2efe86c3c8106068a5b4bdc0ab9457658538f

SHA512
8900228c38fde6567998aa954b38e00e531f5ccd33f1471060bc4426aa8258dff9aaf89105a1aa461a26a73c8d22950050be214fe5718fa84c25c631e5700196

Download Submit
C:\Users\Admin\AppData\Local\Execution2.vbs

Filesize
813B

MD5
9089c318822d5236ea57a1ab1cd2423c

SHA1
fd2f802809486520005e24550bfd0a0d185b9aa6

SHA256
639a20cc23d9dd274487728eeda789b5ee0d49e07c94cc064cf1d76463a2cbb6

SHA512
e18a2d0660d3973c8e9e308853b1fceeea4e487f6e2d8c250d9c70251de411e1e4fbb6bd13c8d1d4c6a1264cc39f7ed8dda80c35f950c1f7b8a6b8ad05ab02b3

Download Submit
C:\Users\Admin\AppData\Local\Execution5.vbs

Filesize
563B

MD5
1b57fa3c2ec8c0ce0e028d2d01d87b89

SHA1
774e510ef3d0e2dece8b89a4bb6b004cc0b03801

SHA256
d773b3ee5ea9a54e07a2e8fc0da33106f6db47adaf1845d95ef6ca663ef2048b

SHA512
bec393fb41c435f60da417356472468678aa1a46d0fe251fb1cf7a9687bc0fa0453847b20d7814fa3a434ef85b0a191a04032b0481469771794cd51becb4a14c

Download Submit
memory/748-65-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1648-54-0x0000000000020000-0x000000000009A000-memory.dmp

Filesize
488KB

Download
memory/1648-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/2012-64-0x000000006F611000-0x000000006F613000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing