hancitor | de5e9077481f7cf0b1addaeaaf21d6d39cabed2eea02276aaf9c241bce446c3d | Triage

Sharing

General

Target

exect.exe
Size

670KB
Sample

201028-c6y5j3whn6
MD5

28e9316fb298d2e7a3d9fd71c662b3ec
SHA1

1c3737add4444a2cb0842d1a5535005b7aa8e7a4
SHA256

de5e9077481f7cf0b1addaeaaf21d6d39cabed2eea02276aaf9c241bce446c3d
SHA512

ccf5bfd384e231180a8e1153b45a0be518d17dc782335d47c543f9dba48cd03c6bf7ce0b34dde92b88f404e248e7484dfac6c1f39dde5a40f40eafdf53eb7bce

Score

10^/10

hancitor downloader persistence

Malware Config

Targets

- Target
  
  exect.exe
- Size
  
  670KB
- MD5
  
  28e9316fb298d2e7a3d9fd71c662b3ec
- SHA1
  
  1c3737add4444a2cb0842d1a5535005b7aa8e7a4
- SHA256
  
  de5e9077481f7cf0b1addaeaaf21d6d39cabed2eea02276aaf9c241bce446c3d
- SHA512
  
  ccf5bfd384e231180a8e1153b45a0be518d17dc782335d47c543f9dba48cd03c6bf7ce0b34dde92b88f404e248e7484dfac6c1f39dde5a40f40eafdf53eb7bce
Score

10^/10

hancitor downloader persistence
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitordownloaderpersistence

behavioral2

hancitordownloaderpersistence