Overview

overview

10

Static

static

Booking Co...DF.exe

windows7_x64

10

Booking Co...DF.exe

windows10-2004_x64

10

Resubmissions

07-07-2022 07:38

220707-jgwxasfbgj 10

06-11-2020 17:38

201106-dv6jg3j51e 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Booking Confirmation 110492024951 - copy - PDF.exe

  • Size

    783KB

  • Sample

    220707-jgwxasfbgj

  • MD5

    f867516ec5e600fb4af968c71b9a2a80

  • SHA1

    701970eb6a98cbc8661562155796f0491cf36efe

  • SHA256

    84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878

  • SHA512

    d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41

Score
10/10
hiveratpersistenceratstealer

Malware Config

Targets

    • Target

      Booking Confirmation 110492024951 - copy - PDF.exe

    • Size

      783KB

    • MD5

      f867516ec5e600fb4af968c71b9a2a80

    • SHA1

      701970eb6a98cbc8661562155796f0491cf36efe

    • SHA256

      84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878

    • SHA512

      d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41

    Score
    10/10
    hiveratpersistenceratstealer

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

      ratstealerhiverat

    • HiveRAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks