Overview

overview

10

Static

static

Christmas ...DF.exe

windows7_x64

10

Christmas ...DF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Christmas Shipment 102120208586_PDF.exe

  • Size

    349KB

  • Sample

    220707-jhwmxshde9

  • MD5

    d83e43d9071e4db4af3cb776b5ec020c

  • SHA1

    d4a4e658b5658901e62a17ae85cf15ec8051cad3

  • SHA256

    3dd49a4c4138beb588bd295bdf95af66f5d4779cb1d70731a3702dd08c794d66

  • SHA512

    f3aa967c4d7ad1294968b8e4e94ca51f171ecd003bb7709f9da006e4acdda8b8a40fdf3219b69afac7bbbb3cc0cd0198ce5978b75d8387b02f510bcb5e6fbf22

Score
10/10
hiveratratstealer

Malware Config

Targets

    • Target

      Christmas Shipment 102120208586_PDF.exe

    • Size

      349KB

    • MD5

      d83e43d9071e4db4af3cb776b5ec020c

    • SHA1

      d4a4e658b5658901e62a17ae85cf15ec8051cad3

    • SHA256

      3dd49a4c4138beb588bd295bdf95af66f5d4779cb1d70731a3702dd08c794d66

    • SHA512

      f3aa967c4d7ad1294968b8e4e94ca51f171ecd003bb7709f9da006e4acdda8b8a40fdf3219b69afac7bbbb3cc0cd0198ce5978b75d8387b02f510bcb5e6fbf22

    Score
    10/10
    hiveratratstealer

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

      ratstealerhiverat

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • HiveRAT Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks