Static

static

0fiasS.dll

windows7_x64

10

0fiasS.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0fiasS.dll

  • Size

    459KB

  • Sample

    210113-z2f6pymx2x

  • MD5

    7dafd3cf24542dfb021e4ee6f9af03c4

  • SHA1

    2d9445e1483503b2ca1a9451b37cb7144e711498

  • SHA256

    6ebc86e6f913ec435d6b7eeda2e0fbedf0fa6cc238af54b18da5c9588df399a3

  • SHA512

    d4d9af7ba43840bfc686dcf0f354253dfad5e97efa2b5b87e5d5c1039250f29580db312fbdbd9f2c21751e9f56476a9039ddfb555a1c29dc968b53f58753fde0

Score
10/10
hancitordownloaderspyware

Malware Config

Targets

    • Target

      0fiasS.dll

    • Size

      459KB

    • MD5

      7dafd3cf24542dfb021e4ee6f9af03c4

    • SHA1

      2d9445e1483503b2ca1a9451b37cb7144e711498

    • SHA256

      6ebc86e6f913ec435d6b7eeda2e0fbedf0fa6cc238af54b18da5c9588df399a3

    • SHA512

      d4d9af7ba43840bfc686dcf0f354253dfad5e97efa2b5b87e5d5c1039250f29580db312fbdbd9f2c21751e9f56476a9039ddfb555a1c29dc968b53f58753fde0

    Score
    10/10
    hancitordownloaderspyware

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Blocklisted process makes network request

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks