General

  • Target

    W0rd.dll

  • Size

    595KB

  • Sample

    210211-krler1vyzs

  • MD5

    b318cc9f1ff841af11f7720f345e1243

  • SHA1

    c318872278becf9287efe094cc4511f8907ba73d

  • SHA256

    e7b6a50fd748a48d5168877e64c9255995f177b13c8790647f61ea46dd790c00

  • SHA512

    16c937a15c665df7bd54c54ef214fc56ac5fefc7005eedd990250a14d87878e361e0d3e76e1cccd794c196784fe99fb3e689fb9460d3ea90b9baedde2e11290f

Malware Config

Extracted

Family

hancitor

Botnet

1102_heid89

C2

http://nuencres.com/8/forum.php

http://matuattheires.ru/8/forum.php

http://desuctoette.ru/8/forum.php

Targets

    • Target

      W0rd.dll

    • Size

      595KB

    • MD5

      b318cc9f1ff841af11f7720f345e1243

    • SHA1

      c318872278becf9287efe094cc4511f8907ba73d

    • SHA256

      e7b6a50fd748a48d5168877e64c9255995f177b13c8790647f61ea46dd790c00

    • SHA512

      16c937a15c665df7bd54c54ef214fc56ac5fefc7005eedd990250a14d87878e361e0d3e76e1cccd794c196784fe99fb3e689fb9460d3ea90b9baedde2e11290f

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks