hiverat | 0dedc8d99e368addcf1950fd4656b8c95800210b2b5e152880634aaa37c27c81

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slip_063b22.exe
Size

2.5MB
MD5

9fc63544f95d6597481b2ad968d956bd
SHA1

99a6b796833db909cff3d3d8678652216c9b9bd4
SHA256

0dedc8d99e368addcf1950fd4656b8c95800210b2b5e152880634aaa37c27c81
SHA512

a64d99e979e2e12ebe5a3fe03234d4b4f60c089922ead4906c3cd61eb4be04e485d0959e34bc237add4c12dfbaf4d946b1953ce0d3539f8fc61902601bd06713
SSDEEP

49152:+w80cTsjkWaFsWTfnmxsD8+sjYlaMx7WB/udhrWzBVb:D8sjkWkmSiYlnx6Fud9Wz

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT payload 16 IoCs

resource	yara_rule
behavioral2/memory/1660-141-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-142-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-140-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-143-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-144-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-145-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-146-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-147-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-148-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-149-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-153-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-156-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-158-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-157-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-167-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat
behavioral2/memory/1660-174-0x0000000000400000-0x000000000081C000-memory.dmp	family_hiverat

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBWJC.com.url	Slip_063b22.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe
1660	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 1264	1940	Slip_063b22.exe	83
PID 1940 set thread context of 4696	1940	Slip_063b22.exe	87
PID 1940 set thread context of 1660	1940	Slip_063b22.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4796	1264	WerFault.exe	83
4540	4696	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe
1940	Slip_063b22.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1660	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1660	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1264	1940	Slip_063b22.exe	83
PID 1940 wrote to memory of 1264	1940	Slip_063b22.exe	83
PID 1940 wrote to memory of 1264	1940	Slip_063b22.exe	83
PID 1940 wrote to memory of 1264	1940	Slip_063b22.exe	83
PID 1940 wrote to memory of 4696	1940	Slip_063b22.exe	87
PID 1940 wrote to memory of 4696	1940	Slip_063b22.exe	87
PID 1940 wrote to memory of 4696	1940	Slip_063b22.exe	87
PID 1940 wrote to memory of 4696	1940	Slip_063b22.exe	87
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90
PID 1940 wrote to memory of 1660	1940	Slip_063b22.exe	90

C:\Users\Admin\AppData\Local\Temp\Slip_063b22.exe
"C:\Users\Admin\AppData\Local\Temp\Slip_063b22.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 84
    3⤵
    - Program crash
    PID:4796
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 84
    3⤵
    - Program crash
    PID:4540
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1264 -ip 1264
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4696 -ip 4696
1⤵
PID:4124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-147-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-174-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-146-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-139-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-141-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-142-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-140-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-143-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-144-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-148-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-137-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-145-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-149-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-153-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-156-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-158-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-157-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-167-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1660-171-0x0000000006700000-0x0000000006792000-memory.dmp

Filesize
584KB

Download
memory/1660-172-0x00000000067A0000-0x000000000683C000-memory.dmp

Filesize
624KB

Download
memory/1660-173-0x00000000078E0000-0x0000000007E84000-memory.dmp

Filesize
5.6MB

Download