MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HiveRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
SHA3-384 hash: 83d1065d35d8e1b25518de72549f5c686cae0b3300efc3bd3de0e3fd7cf550076c3370467c2b14c71dd034816ae9eb9a
SHA1 hash: 701970eb6a98cbc8661562155796f0491cf36efe
MD5 hash: f867516ec5e600fb4af968c71b9a2a80
humanhash: october-one-cola-seven
File name:Booking Confirmation 110492024951 - copy - PDF.exe
Download: download sample
Signature HiveRAT
Create hunting rule
File size:802'432 bytes
First seen:2020-11-06 17:37:56 UTC
Last seen:2020-11-06 19:39:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:m0VzAwZX7KDxFf8Dml3WEzi7Dj2K2tzRJEY7epX9tLZ8XMrM3VCd6d:m+zzX7cED62+Kc1JEY7uNi4d6d
Threatray 26 similar samples on MalwareBazaar
TLSH 71059D17B7414654D820B5BA81B5AFD12321FDC22AE5C71D6E8EB3198C733CA7E9E309
Reporter abuse_ch
Tags:exe HiveRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisF867516EC5E6.22461.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Threat name:
Hive RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/523539
Signature
.NET source code contains very large array initializations
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Hive RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878/
Threat name:
ByteCode-MSIL.Spyware.HiveMon
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 13:25:04 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtrardvdrvqa7vlcsjnyiaixja6pi2bvopuscbwchqm336xc7b4a._file
Verdict:
unknown
Similar samples:
079a0f977b60a6115bcddb387d8783eeea8cdd7678369c01d0e7b8a6071bf123
HiveRAT
129c12816f1bf3b9b80fc15d4515e5df5cac9b65824f0dff50eade40c2030abb
HiveRAT
317f3e79ff4110f5310f4722d429082ef957112fc16221b28c7e036a4b7f68f8
HiveRAT
399ebb50cdbb6d080806a03d818a7ca38ffc3728bd37f24e0240f6290936766f
HiveRAT
48d549e9bbe11f4e45cd39a99f3668743076c63361d1e7fd7dedcd361b4cf368
HiveRAT
4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
HiveRAT
6cfae9fac2b59c2520f8911a66bd16899886170ff2a5f17f40161ac47f66b0ff
HiveRAT
784743d25c876a24c62cce46f9227b20c27c44a35b7ddfb152b4ef61e4ca3838
HiveRAT
aa3ad2bc7de6aab74f28326021d7889b90daf829483251016f388c07fb0b6d48
HiveRAT
c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6
HiveRAT
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201106-dv6jg3j51e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
MD5 hash:
f867516ec5e600fb4af968c71b9a2a80
SHA1 hash:
701970eb6a98cbc8661562155796f0491cf36efe
Link:
https://www.unpac.me/results/8d0b70cd-3c28-463c-8c7c-7c5bd5c6a412/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/8d0b70cd-3c28-463c-8c7c-7c5bd5c6a412/
SH256 hash:
5886dbc91ebc7a1e9d6b72794eb0bed7403d060a322aec65a9269f52deb4ff46
MD5 hash:
773658b99d7e72b3b75b404c4afc1dec
SHA1 hash:
3938e9d73cdedf65c4a2ee321d6b6a35f62ddb3a
Link:
https://www.unpac.me/results/8d0b70cd-3c28-463c-8c7c-7c5bd5c6a412/
SH256 hash:
aee68b686141737c84b24dcae6b1654641006d2002c7485a16ef7399c38c3579
MD5 hash:
a5f3f80330bdec032aad8e929039a0e1
SHA1 hash:
9062ad2bdc2c2959b0284eb4436d37ac4e964d42
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/8d0b70cd-3c28-463c-8c7c-7c5bd5c6a412/
Parent samples :
f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3
84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/8d0b70cd-3c28-463c-8c7c-7c5bd5c6a412/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments