hiverat | f11feea70f4567a05c7115eb7357c132f15f83b9d96d053dd6d18c3a1c2410d6

General

Target

772da501d7b845bfafca8fe091e03fc1.exe
Size

552KB
MD5

772da501d7b845bfafca8fe091e03fc1
SHA1

db4b4fc45bfd286c23db04843219629e134c20dc
SHA256

f11feea70f4567a05c7115eb7357c132f15f83b9d96d053dd6d18c3a1c2410d6
SHA512

83197cf9c1177b21b871dd76c77958dbb9f5dec4adca6994f9a734700c2b4fb814863472e375cafc86272b2ad01fa9e19db6f45d6d794b1b3a64228aa1df1212
SSDEEP

12288:4pqgxhTiAw4KjcUeCZuElfG9UtMW4++IN6zOYrbaq:ohhfw4KjreChif+pN6LPD

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT payload 18 IoCs

resource	yara_rule
behavioral1/memory/2704-12-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-14-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-16-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-18-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-20-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-22-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-25-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-28-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-30-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-34-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-35-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-36-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-37-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-41-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-44-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-45-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2704-46-0x0000000000400000-0x000000000047A000-memory.dmp	family_hiverat
behavioral1/memory/2980-57-0x00000000026B0000-0x00000000026F0000-memory.dmp	family_hiverat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\chrome.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	772da501d7b845bfafca8fe091e03fc1.exe
Token: SeDebugPrivilege	2704	RegAsm.exe
Token: SeDebugPrivilege	2980	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2980	2040	772da501d7b845bfafca8fe091e03fc1.exe	28
PID 2040 wrote to memory of 2980	2040	772da501d7b845bfafca8fe091e03fc1.exe	28
PID 2040 wrote to memory of 2980	2040	772da501d7b845bfafca8fe091e03fc1.exe	28
PID 2040 wrote to memory of 2980	2040	772da501d7b845bfafca8fe091e03fc1.exe	28
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30
PID 2040 wrote to memory of 2704	2040	772da501d7b845bfafca8fe091e03fc1.exe	30

C:\Users\Admin\AppData\Local\Temp\772da501d7b845bfafca8fe091e03fc1.exe
"C:\Users\Admin\AppData\Local\Temp\772da501d7b845bfafca8fe091e03fc1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'windows';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'windows' -Value '"C:\Users\Admin\AppData\Roaming\microsoft\chrome.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-0-0x0000000000F40000-0x0000000000FD0000-memory.dmp

Filesize
576KB

Download
memory/2040-1-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-2-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2040-3-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2040-4-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-5-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2040-6-0x00000000009A0000-0x0000000000A18000-memory.dmp

Filesize
480KB

Download
memory/2040-7-0x0000000000D90000-0x0000000000E08000-memory.dmp

Filesize
480KB

Download
memory/2040-27-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-35-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-14-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-16-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-18-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-20-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-22-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-10-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-25-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-9-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-28-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-30-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-34-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-12-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-36-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-37-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-41-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-44-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-45-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2704-46-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2980-55-0x00000000733A0000-0x000000007394B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-56-0x00000000733A0000-0x000000007394B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-57-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2980-58-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2980-59-0x00000000733A0000-0x000000007394B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads