Static

static

W0rd.bin.dll

windows7_x64

10

W0rd.bin.dll

windows10_x64

10

Resubmissions

18-01-2021 09:04

210118-1kebnhj11n 10

13-01-2021 16:29

210113-ejamrkj5bn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    W0rd.bin

  • Size

    459KB

  • Sample

    210113-ejamrkj5bn

  • MD5

    3f0014063c90ac8a25046d0f5f16937d

  • SHA1

    8718a50b294ca70fa387a2609a1e5712f5b84123

  • SHA256

    c5385df4db1e69b06cf36f4481365d1101679a5764d721e369ea1d5d4c4b6b2c

  • SHA512

    5bd7ec11db8a61ae53537eabc81809972c4ca8c61473db9067cf49f03af8a00ed31ec773bbe2a345aa8d3b9ba58b6a7e8472d8b54dfa8954df6e28b6794c6a63

Score
10/10
hancitordownloaderspyware

Malware Config

Targets

    • Target

      W0rd.bin

    • Size

      459KB

    • MD5

      3f0014063c90ac8a25046d0f5f16937d

    • SHA1

      8718a50b294ca70fa387a2609a1e5712f5b84123

    • SHA256

      c5385df4db1e69b06cf36f4481365d1101679a5764d721e369ea1d5d4c4b6b2c

    • SHA512

      5bd7ec11db8a61ae53537eabc81809972c4ca8c61473db9067cf49f03af8a00ed31ec773bbe2a345aa8d3b9ba58b6a7e8472d8b54dfa8954df6e28b6794c6a63

    Score
    10/10
    hancitordownloaderspyware

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Blocklisted process makes network request

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks