Overview

overview

10

Static

static

Booking Co...51.exe

windows7_x64

10

Booking Co...51.exe

windows10-2004_x64

10

Resubmissions

07-07-2022 07:38

220707-jgnwpafbfn 10

02-11-2020 14:43

201102-qmzdv5yy92 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Booking Confirmation591773251.exe

  • Size

    926KB

  • Sample

    220707-jgnwpafbfn

  • MD5

    d36537604871b3550a9c5c635c37a601

  • SHA1

    a5360105e7b4d5316c88e5403013dd395c1ab145

  • SHA256

    4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72

  • SHA512

    8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

Score
10/10
hiveratpersistenceratstealer

Malware Config

Targets

    • Target

      Booking Confirmation591773251.exe

    • Size

      926KB

    • MD5

      d36537604871b3550a9c5c635c37a601

    • SHA1

      a5360105e7b4d5316c88e5403013dd395c1ab145

    • SHA256

      4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72

    • SHA512

      8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

    Score
    10/10
    hiveratpersistenceratstealer

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

      ratstealerhiverat

    • HiveRAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks