General

  • Target

    0216_29570659210860.doc

  • Size

    363KB

  • Sample

    210216-3ttz8s84l6

  • MD5

    45ded128f3f52bf39d0771a55ea244ae

  • SHA1

    2fe3e24d8af64e3e079e936cc13089afcb74daf9

  • SHA256

    f46eeafb15da4873dd4423279e3390767141e17a4fb87e8d5226316a4635a6ac

  • SHA512

    eb81220dc55d847eac8a0e3ed7ce280e8b0ef56b803f94a2319e770fda4c40d6e34e9f286909834c5daa7ce824f2ecb27d0b56d08c8f6fcbeca9ce236a82cda5

Malware Config

Extracted

Family

hancitor

Botnet

1602_78210h

C2

http://eviddinlahal.com/8/forum.php

http://saisepsdrablis.ru/8/forum.php

http://obvionsweyband.ru/8/forum.php

Targets

    • Target

      0216_29570659210860.doc

    • Size

      363KB

    • MD5

      45ded128f3f52bf39d0771a55ea244ae

    • SHA1

      2fe3e24d8af64e3e079e936cc13089afcb74daf9

    • SHA256

      f46eeafb15da4873dd4423279e3390767141e17a4fb87e8d5226316a4635a6ac

    • SHA512

      eb81220dc55d847eac8a0e3ed7ce280e8b0ef56b803f94a2319e770fda4c40d6e34e9f286909834c5daa7ce824f2ecb27d0b56d08c8f6fcbeca9ce236a82cda5

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks