Static

static

8

in_6.xls

windows7_x64

10

in_6.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    in_6.xls

  • Size

    90KB

  • Sample

    200715-2sf2hqrd7x

  • MD5

    d72515d8b2eecab727781df270c548b3

  • SHA1

    1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09

  • SHA256

    e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3

  • SHA512

    66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc

Score
10/10
hancitorpony1307_qsewdownloadermacroratspywarestealerxlm

Malware Config

Extracted

Family

hancitor

Botnet

1307_qsew

C2

http://overnightfile.com/4/forum.php

http://toolboxkasa.ru/4/forum.php

http://ibexjade.ru/4/forum.php

Targets

    • Target

      in_6.xls

    • Size

      90KB

    • MD5

      d72515d8b2eecab727781df270c548b3

    • SHA1

      1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09

    • SHA256

      e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3

    • SHA512

      66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc

    Score
    10/10
    hancitorpony1307_qsewdownloaderratspywarestealer

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks