MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HiveRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3
SHA3-384 hash: 4ffad9462a37d35555b403f0fee6c974085875673409e613cbbc5716a973d27d4ec21676c97df2ac985cbabd82ac4d3e
SHA1 hash: 5a48020b486ab74eea85cf88d647dc2ba0994ace
MD5 hash: f4f48519f108900933d0dd0e8aa1f40f
humanhash: seven-oregon-mississippi-kentucky
File name:Booking Confirmation 110420203251 - copy - PDF.exe
Download: download sample
Signature HiveRAT
Create hunting rule
File size:352'768 bytes
First seen:2020-11-05 11:46:04 UTC
Last seen:2021-03-09 22:14:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:UUTpfg+NHDAmLBQTZdvxr9q708pBv5lKgUOFQx2mhtc5V:ltg+NHMoBQTZdCJ5QgK3i
Threatray 21 similar samples on MalwareBazaar
TLSH 4C74AE66DEA34133C5D7E67EC4A3804B1EADD880C091915C7BD987DA01DDE2CF8D6A8E
Reporter abuse_ch
Tags:exe HiveRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx-ma.velo.net.id
Sending IP: 203.153.98.83
From: ''Maersk Booking Service'' <pnh@ncsline.com>
Reply-To: ''Maersk Booking Service'' <maerskbooking_dept@protonmail.com>
Subject: Re: Booking Confirmation: #110420203251
Attachment: Booking Confirmation 110420203251 - copy - PDF.uu (contains "Booking Confirmation 110420203251 - copy - PDF.exe")

Intelligence

File Origin
# of uploads :
4
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
FirebirdRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83246/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.48415.26742.23275.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
AveMaria Hive RAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521405
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to hide user accounts
Drops PE files to the startup folder
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AveMaria stealer
Yara detected Hive RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309804 Sample: Booking Confirmation 110420... Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 52 local.urown.cloud 2->52 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for dropped file 2->64 66 11 other signatures 2->66 10 Booking Confirmation 110420203251 - copy - PDF.exe 3 2->10         started        14 Booking Confirmation 110420203251 - copy - PDF.exe 3 2->14         started        signatures3 process4 file5 44 Booking Confirmati... copy - PDF.exe.log, ASCII 10->44 dropped 68 Injects a PE file into a foreign processes 10->68 16 Booking Confirmation 110420203251 - copy - PDF.exe 3 10->16         started        21 cmd.exe 1 14->21         started        signatures6 process7 dnsIp8 46 local.urown.cloud 194.5.97.146, 4050, 49745, 49746 DANILENKODE Netherlands 16->46 48 ivy20.urown.cloud 16->48 50 192.168.2.1 unknown unknown 16->50 42 C:\Users\user\AppData\Local\waz.exe, PE32 16->42 dropped 54 Tries to steal Mail credentials (via file access) 16->54 56 Tries to harvest and steal browser information (history, passwords, etc) 16->56 58 Suspicious powershell command line found 21->58 23 powershell.exe 3 19 21->23         started        25 conhost.exe 21->25         started        27 timeout.exe 1 21->27         started        file9 signatures10 process11 process12 29 Booking Confirmation 110420203251 - copy - PDF.exe 2 23->29         started        32 wscript.exe 23->32         started        signatures13 70 Injects a PE file into a foreign processes 29->70 34 Booking Confirmation 110420203251 - copy - PDF.exe 29->34         started        36 Booking Confirmation 110420203251 - copy - PDF.exe 29->36         started        38 Booking Confirmation 110420203251 - copy - PDF.exe 29->38         started        40 Booking Confirmation 110420203251 - copy - PDF.exe 29->40         started        72 Drops PE files to the startup folder 32->72 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3/
Threat name:
ByteCode-MSIL.Spyware.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 03:17:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=63jp4guluqccs4eoyxdqcwp474hjoqpkeyhksprwmxlou5jps3jq._file
Verdict:
unknown
Similar samples:
091fa5c2da8704e463202cad1bdd4f766ca66c28b3f60348c03288c4d4c3ce32
HiveRAT
1c6126424bce5c1a5456567f26e821c877262af45c92a6aa7989e6fff22e7add
HiveRAT
310357fce084be8373ed754c4a6ea2fb426d90aac3d1fb1fffae16b63051b9c4
HiveRAT
4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
HiveRAT
5ff5a39cd321aac82297c3d5f082875e7b1e5c2c9229511dbcabe9d756d1b867
HiveRAT
99a8b22ec655fd50aa2bdb93b05e8533ec539feeffacf592cf038a6ede299314
HiveRAT
d237bfb6873a7430aa8c8b7c3a44d20a6234a3862a7135c92f202f315c8eb86d
HiveRAT
d24e24c8882b4e2c4536fa7f250cfb7255a0f68e8514a6395b6fae251483da56
HiveRAT
eb53bc375d2e8514764dfeb47aa11eed953ceb68982ce63b312dd6d96de6216c
HiveRAT
ef487c1055b8387187c2874c5705dd7a35b13348cad2f15e9cde486bbf850e95
HiveRAT
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
spyware
Link:
https://tria.ge/reports/201105-8lhrre6d56/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of web browsers
Beds Protector Packer
Unpacked files
SH256 hash:
f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3
MD5 hash:
f4f48519f108900933d0dd0e8aa1f40f
SHA1 hash:
5a48020b486ab74eea85cf88d647dc2ba0994ace
Link:
https://www.unpac.me/results/5e630211-1157-49f3-a323-baca4753d6e7/
SH256 hash:
317ba90c008fcca678553cde4b8aff72e094e07323681575407874a73f67b30f
MD5 hash:
2fcc7a1cae16f675277edb97528a426a
SHA1 hash:
6411b0d0d52ceefaf2c15e2432de4496e3fe1baf
Link:
https://www.unpac.me/results/5e630211-1157-49f3-a323-baca4753d6e7/
SH256 hash:
aee68b686141737c84b24dcae6b1654641006d2002c7485a16ef7399c38c3579
MD5 hash:
a5f3f80330bdec032aad8e929039a0e1
SHA1 hash:
9062ad2bdc2c2959b0284eb4436d37ac4e964d42
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/5e630211-1157-49f3-a323-baca4753d6e7/
Parent samples :
f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3
84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_agent_tesla_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9ce68a296de60b4a10797ffd2daab29a

HiveRAT

Executable exe f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3

(this sample)

  
Dropped by
MD5 9ce68a296de60b4a10797ffd2daab29a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83246/

Comments