Static

static

0fiasS.dll

windows7_x64

10

0fiasS.dll

windows10_x64

8

Analysis

  • max time kernel
    138s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fiasS.dll

  • Size

    459KB

  • MD5

    7dafd3cf24542dfb021e4ee6f9af03c4

  • SHA1

    2d9445e1483503b2ca1a9451b37cb7144e711498

  • SHA256

    6ebc86e6f913ec435d6b7eeda2e0fbedf0fa6cc238af54b18da5c9588df399a3

  • SHA512

    d4d9af7ba43840bfc686dcf0f354253dfad5e97efa2b5b87e5d5c1039250f29580db312fbdbd9f2c21751e9f56476a9039ddfb555a1c29dc968b53f58753fde0

Score
10/10
hancitordownloaderspyware

Malware Config

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Blocklisted process makes network request 5 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fiasS.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fiasS.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\System32\svchost.exe
        3⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/332-4-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/332-5-0x0000000000401480-mapping.dmp
    Download
  • memory/332-6-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1496-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1584-3-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp
    Filesize

    2.5MB

    Download