General
-
Target
2024-12-20_ec006198d15565a8848fbe7062ec330a_hive_poet-rat
-
Size
6.9MB
-
Sample
241220-r5k4psxnhw
-
MD5
ec006198d15565a8848fbe7062ec330a
-
SHA1
1eff0b0741f06c520ddc1d9e7ebd713cc1bea5cc
-
SHA256
826abc3becf8f35d4cc5d6d1a88d26820aa31abd1d27a9e260475ca1ddcdd84c
-
SHA512
d5f656f1c78f6d6f1f477ce6142e7f075976f6684dc8c942db40acf9034ea798b9bb4df9945eec271a143e9343d9906aea63fed3d9c6b28e212d041078dd88b9
-
SSDEEP
49152:2oHe1pxcmPvCldt6C+P2zw6foGB4FZbNvaNuAkpaDVcpj6vqcIINgRW24l2iyGfi:29OtePU9foGB4yuEZTvfl/A1zUEgNz
Malware Config
Targets
-
-
Target
2024-12-20_ec006198d15565a8848fbe7062ec330a_hive_poet-rat
-
Size
6.9MB
-
MD5
ec006198d15565a8848fbe7062ec330a
-
SHA1
1eff0b0741f06c520ddc1d9e7ebd713cc1bea5cc
-
SHA256
826abc3becf8f35d4cc5d6d1a88d26820aa31abd1d27a9e260475ca1ddcdd84c
-
SHA512
d5f656f1c78f6d6f1f477ce6142e7f075976f6684dc8c942db40acf9034ea798b9bb4df9945eec271a143e9343d9906aea63fed3d9c6b28e212d041078dd88b9
-
SSDEEP
49152:2oHe1pxcmPvCldt6C+P2zw6foGB4FZbNvaNuAkpaDVcpj6vqcIINgRW24l2iyGfi:29OtePU9foGB4yuEZTvfl/A1zUEgNz
Score10/10-
XMRig Miner payload
-
Xmrig family
-
Xmrig_linux family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Adds new SSH keys
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
Modifies hosts file
Adds to hosts file used for mapping hosts to IP addresses.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables
Creating/modifying environment variables is a common persistence mechanism.
-
Disables AppArmor
Disables AppArmor security module.
-
Disables SELinux
Disables SELinux security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies rc script
Adding/modifying system rc scripts is a common persistence mechanism.
-
Modifies systemd
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Modifies Bash startup script
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Persistence
Account Manipulation
1SSH Authorized Keys
1Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Account Manipulation
1SSH Authorized Keys
1Boot or Logon Autostart Execution
3XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Impair Defenses
1Disable or Modify Tools
1Virtualization/Sandbox Evasion
2System Checks
2