General

  • Target

    0211_38602014674781.doc

  • Size

    332KB

  • Sample

    210211-dcvggp7x86

  • MD5

    b346a01d3398a728758895b1aaf2748b

  • SHA1

    d1f569be335e637d6a43e859bd7969b9624e68e8

  • SHA256

    5134951dfe74a2803ae255e7ba55e765fb16b1f212ecaa957aa612e304423ecd

  • SHA512

    ca38ab17a297ddae23d8585aaaf9f8a3e482fb11db5dffe852870f070aa2dbce1b415f660d17f64bee3d637a188d3efe51364ec585e8e5cf30a2503bb61d80e6

Malware Config

Extracted

Family

hancitor

Botnet

1102_heid89

C2

http://nuencres.com/8/forum.php

http://matuattheires.ru/8/forum.php

http://desuctoette.ru/8/forum.php

Targets

    • Target

      0211_38602014674781.doc

    • Size

      332KB

    • MD5

      b346a01d3398a728758895b1aaf2748b

    • SHA1

      d1f569be335e637d6a43e859bd7969b9624e68e8

    • SHA256

      5134951dfe74a2803ae255e7ba55e765fb16b1f212ecaa957aa612e304423ecd

    • SHA512

      ca38ab17a297ddae23d8585aaaf9f8a3e482fb11db5dffe852870f070aa2dbce1b415f660d17f64bee3d637a188d3efe51364ec585e8e5cf30a2503bb61d80e6

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks