hancitor | f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1 | Triage

Sharing

General

Target

han.exe
Size

500KB
Sample

201014-bzt48wbbj6
MD5

e8a8c90d7da67da7ee790e9e49127cf7
SHA1

65731d02a9a9899b1ee72e822d3dab2129fffa9a
SHA256

f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1
SHA512

aa0c0cb8aa0d6864da79cee8e14c3dd70d320d42ca19b999be34a243416011aea3fb9b02a10b860234dde7abfaef6ef4fca704233258beb1b182fb0c043fb9a3

Score

10^/10

hancitor downloader persistence

Malware Config

Targets

- Target
  
  han.exe
- Size
  
  500KB
- MD5
  
  e8a8c90d7da67da7ee790e9e49127cf7
- SHA1
  
  65731d02a9a9899b1ee72e822d3dab2129fffa9a
- SHA256
  
  f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1
- SHA512
  
  aa0c0cb8aa0d6864da79cee8e14c3dd70d320d42ca19b999be34a243416011aea3fb9b02a10b860234dde7abfaef6ef4fca704233258beb1b182fb0c043fb9a3
Score

10^/10

hancitor downloader persistence
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitordownloaderpersistence

behavioral2

hancitordownloaderpersistence