hiverat | 0dedc8d99e368addcf1950fd4656b8c95800210b2b5e152880634aaa37c27c81

Analysis

max time kernel
164s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2022 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slip_063b22.txt.exe
Size

2.5MB
MD5

9fc63544f95d6597481b2ad968d956bd
SHA1

99a6b796833db909cff3d3d8678652216c9b9bd4
SHA256

0dedc8d99e368addcf1950fd4656b8c95800210b2b5e152880634aaa37c27c81
SHA512

a64d99e979e2e12ebe5a3fe03234d4b4f60c089922ead4906c3cd61eb4be04e485d0959e34bc237add4c12dfbaf4d946b1953ce0d3539f8fc61902601bd06713
SSDEEP

49152:+w80cTsjkWaFsWTfnmxsD8+sjYlaMx7WB/udhrWzBVb:D8sjkWkmSiYlnx6Fud9Wz

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT payload 16 IoCs

resource	yara_rule
behavioral2/memory/4804-136-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-137-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-138-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-139-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-140-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-141-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-142-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-143-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-144-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-145-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-149-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-152-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-153-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-154-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-156-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/4804-170-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBWJC.com.url	Slip_063b22.txt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4824 set thread context of 4804	4824	Slip_063b22.txt.exe	82

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe
4824	Slip_063b22.txt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4804	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4804	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82
PID 4824 wrote to memory of 4804	4824	Slip_063b22.txt.exe	82

C:\Users\Admin\AppData\Local\Temp\Slip_063b22.txt.exe
"C:\Users\Admin\AppData\Local\Temp\Slip_063b22.txt.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4804-133-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-135-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-136-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-137-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-138-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-139-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-140-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-141-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-142-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-143-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-144-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-145-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-149-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-152-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-153-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-154-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-156-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/4804-167-0x0000000006470000-0x0000000006502000-memory.dmp

Filesize
584KB

Download
memory/4804-168-0x0000000006510000-0x00000000065AC000-memory.dmp

Filesize
624KB

Download
memory/4804-169-0x0000000007650000-0x0000000007BF4000-memory.dmp

Filesize
5.6MB

Download
memory/4804-170-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download