Overview
overview
10Static
static
2020-11-04...in.exe
windows7_x64
102020-11-04...in.exe
windows10_x64
102020-11-04...in.exe
windows7_x64
72020-11-04...in.exe
windows10_x64
72020-11-04...in.exe
windows7_x64
62020-11-04...in.exe
windows10_x64
62020-11-04...in.xls
windows7_x64
12020-11-04...in.xls
windows10_x64
1General
-
Target
2020-11-04-Hancitor-and-Cobalt-Stri.zip
-
Size
906KB
-
Sample
201109-z8ssjz4t1e
-
MD5
890eeb424ed41eea3483c5b541d41972
-
SHA1
7e268719450b8cd648152af10e0565b9ff6509fe
-
SHA256
a15161d2967f272e94d617c7053bbcdbf0ee09148a0d9b13c52a69da077d3a01
-
SHA512
ecf45cabcd7308227a28efde3d87b0e9a9ef0c455c26da72f40fbc086608c3114611f1c91929d6321b2a030789e9d9e6535c94cc4d683e4f95f87aed4ed02e26
Static task
static1
Behavioral task
behavioral1
Sample
2020-11-04-Cobalt-Strike-EXE.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2020-11-04-Cobalt-Strike-EXE.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
2020-11-04-Ficker-Stealer-EXE.bin.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
2020-11-04-Ficker-Stealer-EXE.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2020-11-04-Hancitor-EXE.bin.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
2020-11-04-Hancitor-EXE.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
2020-11-04-XLS-file-with-macro-for-Hancitor.bin.xls
Resource
win7v20201028
Behavioral task
behavioral8
Sample
2020-11-04-XLS-file-with-macro-for-Hancitor.bin.xls
Resource
win10v20201028
Malware Config
Extracted
metasploit
windows/download_exec
http://31.44.184.131:80/sPIP
- headers User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
Targets
-
-
Target
2020-11-04-Cobalt-Strike-EXE.bin
-
Size
14KB
-
MD5
da977ca12c4990e59598897e40e4e8d7
-
SHA1
50ffd5e0e0ac0876f61885f610d5d4f50465cf84
-
SHA256
8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081
-
SHA512
c7af00076e2cc905a57d16fe1891b16a98ff6a0695612a50a781114e0dc86926a1aa36cdaa9355a46aff258c2f922ecbcb8cda727206bf1145a7b68e601cc079
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
-
-
Target
2020-11-04-Ficker-Stealer-EXE.bin
-
Size
266KB
-
MD5
1db6bd4d13cb9966e8875b3812aef71d
-
SHA1
974c46a807d2d680dad5b6d63c38dd0e06e1ed68
-
SHA256
9bdbb8dde9ad9be8d9303df1697e13a0f846cca95bc9e41d513c1f5f2a7a37b3
-
SHA512
550405e7409846ab8673b6eacd1a8132d0582b3cde9360f92d812a9e399ac62459798839ae76e57144933fca2fbe36d89bf66fe72df668774eb5a2514a34ae4b
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
2020-11-04-Hancitor-EXE.bin
-
Size
603KB
-
MD5
6b70a0ca3e7d80568109ab304c7b0fb0
-
SHA1
476c1b11485a6d679d5bbba3b085e80361bff340
-
SHA256
cca24cf66321e5b2f63bb52b5183e9cc437bf1b59d5f34043307dbd3ab02ae62
-
SHA512
8577d1175d02ba9c3d190e0cf0634e2a257ac97ea36348d3db6e7719ed1d50a37bacb271f2aca7889598a874bd25d182639dc6dade9994326c2e19120413ce72
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
2020-11-04-XLS-file-with-macro-for-Hancitor.bin
-
Size
293KB
-
MD5
6ffb46347dea6d4d021daeaf48afef79
-
SHA1
4970fa3d88f383be0b2f31eea97adc4e61b5bd21
-
SHA256
7095724f5d80a968bcb7c0495f1689abaed255db80f12c9915dfa4b5414941b9
-
SHA512
dae8af4adb9ba99a633099d2f4b4937669d258cd0901b59fcbe95fd0247b5c073b70f14a4ca5075d1179e1b7209184b8f6e5787a2a0235ca7430a7a0af6fdcfd
Score1/10 -