hiverat | faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d

General

Target

faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe
Size

236KB
MD5

2db12e4adb813900423f57caa32435c2
SHA1

cb2627fcef6e94699aa325cdd7428257cabcb93f
SHA256

faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d
SHA512

fc7334905db1348c3ba346edca12f51b1e59fcb43c4eef19f1e546e18c201d76cadcf2088f15a33f269b04a4034b48668028735071ec726b576d0cbb25a8d048

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 11 IoCs

resource	yara_rule
behavioral2/memory/2932-139-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-143-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-135-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-148-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-158-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-157-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-156-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-153-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-149-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-147-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat
behavioral2/memory/2932-146-0x00000000003A0000-0x00000000003F2000-memory.dmp	family_hiverat

Executes dropped EXE 1 IoCs

pid	Process
2932	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	svhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	svhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70
PID 1728 wrote to memory of 2932	1728	faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe	70

C:\Users\Admin\AppData\Local\Temp\faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe
"C:\Users\Admin\AppData\Local\Temp\faedba78d76455d390dcc0588860d6016f875d7c844ab7f954894b6843cecf6d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/1728-131-0x0000000005160000-0x00000000051FC000-memory.dmp

Filesize
624KB

Download
memory/1728-130-0x0000000000720000-0x0000000000762000-memory.dmp

Filesize
264KB

Download
memory/2932-148-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-164-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/2932-143-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-139-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-158-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-157-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-135-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-156-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-165-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/2932-153-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-149-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-147-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-146-0x00000000003A0000-0x00000000003F2000-memory.dmp

Filesize
328KB

Download
memory/2932-166-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing