MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HiveRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
SHA3-384 hash: 7e93464c1021313dbda4e091ff8de9b9b1029f0bfb8536533fba5e1e1787b0e4e0f4af5ca4073924f8e73a2b9ad1ada6
SHA1 hash: a5360105e7b4d5316c88e5403013dd395c1ab145
MD5 hash: d36537604871b3550a9c5c635c37a601
humanhash: zebra-foxtrot-magnesium-blossom
File name:Booking Confirmation591773251.exe
Download: download sample
Signature HiveRAT
Create hunting rule
File size:948'864 bytes
First seen:2020-11-02 14:42:40 UTC
Last seen:2020-11-02 17:03:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Ktw5o2kGIioMyQEwaQSAY/YRHBOm487UOUc:awoRGItiEwRFY/eglsUc
Threatray 30 similar samples on MalwareBazaar
TLSH DF153912B34A8694C465357745B4FB9137A7FAC7BB108B0E220B429859433C6BF1EBED
Reporter James_inthe_box
Tags:exe HiveRAT

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81820/
Detection(s):
SecuriteInfo.com.Generic.mg.d36537604871b355.15337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Threat name:
Hive RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518230
Signature
.NET source code contains very large array initializations
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Yara detected Hive RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308216 Sample: Booking Confirmation591773251.exe Startdate: 02/11/2020 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected Hive RAT 2->76 78 3 other signatures 2->78 10 Booking Confirmation591773251.exe 5 2->10         started        14 images.exe 2->14         started        16 images.exe 2->16         started        process3 file4 62 C:\...\Booking Confirmation591773251.exe.log, ASCII 10->62 dropped 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->86 18 cmd.exe 1 10->18         started        20 cmd.exe 2 10->20         started        23 InstallUtil.exe 14->23         started        signatures5 process6 file7 25 images.exe 3 18->25         started        28 conhost.exe 18->28         started        60 C:\Users\user\AppData\Roaming\...\images.exe, PE32 20->60 dropped 30 conhost.exe 20->30         started        process8 signatures9 80 Multi AV Scanner detection for dropped file 25->80 82 Uses cmd line tools excessively to alter registry or file data 25->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->84 32 InstallUtil.exe 2 25->32         started        36 cmd.exe 1 25->36         started        38 cmd.exe 1 25->38         started        40 7 other processes 25->40 process10 dnsIp11 64 ada.urown.cloud 194.5.97.146, 49705, 5200 DANILENKODE Netherlands 32->64 66 Tries to steal Mail credentials (via file access) 32->66 68 Tries to harvest and steal browser information (history, passwords, etc) 32->68 70 Uses cmd line tools excessively to alter registry or file data 36->70 42 reg.exe 1 36->42         started        44 conhost.exe 36->44         started        46 conhost.exe 38->46         started        48 reg.exe 1 1 38->48         started        50 conhost.exe 40->50         started        52 reg.exe 40->52         started        54 conhost.exe 40->54         started        56 9 other processes 40->56 signatures12 process13 process14 58 conhost.exe 42->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72/
Threat name:
ByteCode-MSIL.Backdoor.HiveMon
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 11:53:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4yukuepikjmuo73nwoufbfvbxyigr2dm5xgxfi6og2cjdindjza._file
Verdict:
unknown
Similar samples:
0883afdfb58fea1f9e76540ef67cdfb4fba1cc37881272aea45237bcd873fd4d
HiveRAT
32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb
HiveRAT
49a63eb1c6fd5d4b22396bb8a8397c3bf124c3f94d104bc2a7a304f4457b4526
HiveRAT
5da82dd52f913ff5d416ec5479133a0f89cd5d835d2fbd964f32191f642ca9fa
HiveRAT
72a959105f9b0f7974ea6c2c73a211ec87e6eb78bb4723a1051832bda7307709
HiveRAT
7862be8b6b58fc073c3b91badfeab7f5d939725074f2022be9430f89c594692d
HiveRAT
82a70ddc4cfbdda1bc73daeba06d0812701ee2502812f8aa648cc0b55ac377c8
HiveRAT
bbd91445baa27c316821c545a5aef3079d7bed7beac77de667f88d1617439215
HiveRAT
c208e1ec65a3bbfa95c6afc65532d2aeacf5a32baf4904853fee56f8b827e020
HiveRAT
c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6
HiveRAT
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201102-qmzdv5yy92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
MD5 hash:
d36537604871b3550a9c5c635c37a601
SHA1 hash:
a5360105e7b4d5316c88e5403013dd395c1ab145
Link:
https://www.unpac.me/results/5ea6c58c-a2c6-473e-8e05-bb70f0741bab/
SH256 hash:
37e770689ee2a5d12bc692cec6a7c7691f6f6086476301268016588f6434edbe
MD5 hash:
82508ed0955e43d129e7fc0423a7da99
SHA1 hash:
25fde031b8e9e59a0e6311e7f0d9d48497642978
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/5ea6c58c-a2c6-473e-8e05-bb70f0741bab/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/5ea6c58c-a2c6-473e-8e05-bb70f0741bab/
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/5ea6c58c-a2c6-473e-8e05-bb70f0741bab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_agent_tesla_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/81820/

Comments