in_6.xls

General
Target

in_6.xls

Size

90KB

Sample

200715-2sf2hqrd7x

Score
10 /10
MD5

d72515d8b2eecab727781df270c548b3

SHA1

1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09

SHA256

e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3

SHA512

66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc

Malware Config

Extracted

Family hancitor
Botnet 1307_qsew
C2

http://overnightfile.com/4/forum.php

http://toolboxkasa.ru/4/forum.php

http://ibexjade.ru/4/forum.php

Targets
Target

in_6.xls

MD5

d72515d8b2eecab727781df270c548b3

Filesize

90KB

Score
10 /10
SHA1

1578bed7a4a4c4d61f8c1fc003b0d26feaf56e09

SHA256

e4d6561ef40ae9c9e4343fb6184523a2f1fd90653245bd9ed017c858d49fc6c3

SHA512

66a790306116ce388685568063287dd663639f9d4adc06e668ea45f6e29810c6e35c7ad5beeafd7cf6b82e5e89c6e42f8c427b3eb8951637bc5ae2153d4590bc

Tags

Signatures

  • Hancitor

    Description

    Hancitor is downloader used to deliver other malware families.

    Tags

  • Pony,Fareit

    Description

    Pony is a Remote Access Trojan application that steals information.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation