hiverat | faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d

General

Target

faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe
Size

236KB
MD5

2db12e4adb813900423f57caa32435c2
SHA1

cb2627fcef6e94699aa325cdd7428257cabcb93f
SHA256

faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d
SHA512

fc7334905db1348c3ba346edca12f51b1e59fcb43c4eef19f1e546e18c201d76cadcf2088f15a33f269b04a4034b48668028735071ec726b576d0cbb25a8d048

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 15 IoCs

resource	yara_rule
behavioral1/memory/2044-61-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-62-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-63-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-65-0x000000000044BA1E-mapping.dmp	family_hiverat
behavioral1/memory/2044-64-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-68-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-70-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-73-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-74-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-75-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-76-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-80-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-83-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-84-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat
behavioral1/memory/2044-85-0x0000000000400000-0x0000000000452000-memory.dmp	family_hiverat

Executes dropped EXE 1 IoCs

pid	Process
2044	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	svhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	svhost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27
PID 1992 wrote to memory of 2044	1992	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	27

C:\Users\Admin\AppData\Local\Temp\faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe
"C:\Users\Admin\AppData\Local\Temp\faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1992-54-0x0000000000040000-0x0000000000082000-memory.dmp

Filesize
264KB

Download
memory/1992-55-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/1992-56-0x0000000000590000-0x00000000005E0000-memory.dmp

Filesize
320KB

Download
memory/2044-64-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-73-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-61-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-68-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-59-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-70-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-58-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-62-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-74-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-75-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-76-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-80-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-83-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-84-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-85-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing