hiverat | deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62 | Triage

Submit
Reports

Overview

overview

Static

static

3

efc5d47f6d...18.exe

windows7-x64

9

efc5d47f6d...18.exe

windows10-2004-x64

Sharing

General

Target

efc5d47f6d5aa4dbd22cd109aa13ac30_JaffaCakes118
Size

7.6MB
Sample

240921-pfdxzs1frf
MD5

efc5d47f6d5aa4dbd22cd109aa13ac30
SHA1

6427617947cca1dc78c5091dcb2c051ab8d5b949
SHA256

deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62
SHA512

0bf945e9f5f84ed82df9d6c160fb495b0f0e121f86e03ee3cd7acad1e0059d914fffde6ea8e3322015aa184792bbd0f9e9f85697ef9a1d06e172b693f839af29
SSDEEP

196608:wgtgIQ2Y1hyRrWcIaVrtz8cUthPflZsynfr:LJQp1hyRNhVrtzBU7P3nf

Score

10^/10

hiverat discovery evasion rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

efc5d47f6d5aa4dbd22cd109aa13ac30_JaffaCakes118.exe

Resource

win7-20240903-en

discovery evasion

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

efc5d47f6d5aa4dbd22cd109aa13ac30_JaffaCakes118.exe

Resource

win10v2004-20240802-en

hiverat discovery evasion rat stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  efc5d47f6d5aa4dbd22cd109aa13ac30_JaffaCakes118
- Size
  
  7.6MB
- MD5
  
  efc5d47f6d5aa4dbd22cd109aa13ac30
- SHA1
  
  6427617947cca1dc78c5091dcb2c051ab8d5b949
- SHA256
  
  deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62
- SHA512
  
  0bf945e9f5f84ed82df9d6c160fb495b0f0e121f86e03ee3cd7acad1e0059d914fffde6ea8e3322015aa184792bbd0f9e9f85697ef9a1d06e172b693f839af29
- SSDEEP
  
  196608:wgtgIQ2Y1hyRrWcIaVrtz8cUthPflZsynfr:LJQp1hyRNhVrtzBU7P3nf
Score

10^/10

discovery evasion hiverat rat stealer
- HiveRAT
  HiveRAT is an improved version of FirebirdRAT with various capabilities.
  rat stealer hiverat
- HiveRAT payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasion

behavioral2

hiveratdiscoveryevasionratstealer

© 2018-2024

Terms | Privacy