General

  • Target

    offer_05634.xlsm

  • Size

    115KB

  • Sample

    200512-jb5fzqm1fa

  • MD5

    3e0bbe29e435b2a5bf66091b2bc4efcf

  • SHA1

    af4abd629cf997d80e2a57a37c4fd6408097e324

  • SHA256

    27ba6b6b56747320708fc658ba659bc5d3f77545453ee879cfc6ae210636786c

  • SHA512

    1acd893cd2d57573221dec7ec553eb7f513902d34c8669c15469ec1ca5829d6524cc5c4623c9cf39e863d6203e83343ac1915d2ee24a6be0a2eafdfa353d5c4c

Malware Config

Extracted

Family

hancitor

Botnet

0405_784793234

C2

http://libuions.com/4/forum.php

http://feredrazac.ru/4/forum.php

http://urumerael.ru/4/forum.php

Targets

    • Target

      offer_05634.xlsm

    • Size

      115KB

    • MD5

      3e0bbe29e435b2a5bf66091b2bc4efcf

    • SHA1

      af4abd629cf997d80e2a57a37c4fd6408097e324

    • SHA256

      27ba6b6b56747320708fc658ba659bc5d3f77545453ee879cfc6ae210636786c

    • SHA512

      1acd893cd2d57573221dec7ec553eb7f513902d34c8669c15469ec1ca5829d6524cc5c4623c9cf39e863d6203e83343ac1915d2ee24a6be0a2eafdfa353d5c4c

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks