hancitor | e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3 | Triage

Submit
Reports

Static

static

8

in_6.xls

windows7_x64

in_6.xls

windows10_x64

Sharing

General

Target

in_6.xls
Size

90KB
Sample

200715-2sf2hqrd7x
MD5

d72515d8b2eecab727781df270c548b3
SHA1

1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09
SHA256

e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3
SHA512

66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc

Score

10^/10

hancitor pony 1307_qsew downloader macro rat spyware stealer xlm

Static task

static1

Behavioral task

behavioral1

Sample

in_6.xls

Resource

win7v200430

hancitor pony 1307_qsew downloader rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

in_6.xls

Resource

win10

hancitor pony 1307_qsew downloader rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

hancitor

Botnet

1307_qsew

C2

http://overnightfile.com/4/forum.php

http://toolboxkasa.ru/4/forum.php

http://ibexjade.ru/4/forum.php

Targets

- Target
  
  in_6.xls
- Size
  
  90KB
- MD5
  
  d72515d8b2eecab727781df270c548b3
- SHA1
  
  1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09
- SHA256
  
  e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3
- SHA512
  
  66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc
Score

10^/10

hancitor pony 1307_qsew downloader rat spyware stealer
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hancitorpony1307_qsewdownloaderratspywarestealer

behavioral2

hancitorpony1307_qsewdownloaderratspywarestealer

© 2018-2024

Terms | Privacy