General

  • Target

    0216_2632629125129.doc

  • Size

    834KB

  • Sample

    210216-dc7n9e9rxj

  • MD5

    475eebe2974edd4801847661dcb528e0

  • SHA1

    0738db9956dfc1e0c614c7a71cda4fd1182526e7

  • SHA256

    d0a97fe3a995c7bc3aa27929b2c36bb1e87add6451bd7757439ecc0ab031ff56

  • SHA512

    9d1752e1242afc7e0a73fc808a42683e7d7c4d021f027f8a11d02da03383219fca0f1c9a20d3107dbf94e15c298aab8ee4f79fa9d70ee530d73b1104e930cfe2

Malware Config

Extracted

Family

hancitor

Botnet

1602_78210h

C2

http://eviddinlahal.com/8/forum.php

http://saisepsdrablis.ru/8/forum.php

http://obvionsweyband.ru/8/forum.php

Targets

    • Target

      0216_2632629125129.doc

    • Size

      834KB

    • MD5

      475eebe2974edd4801847661dcb528e0

    • SHA1

      0738db9956dfc1e0c614c7a71cda4fd1182526e7

    • SHA256

      d0a97fe3a995c7bc3aa27929b2c36bb1e87add6451bd7757439ecc0ab031ff56

    • SHA512

      9d1752e1242afc7e0a73fc808a42683e7d7c4d021f027f8a11d02da03383219fca0f1c9a20d3107dbf94e15c298aab8ee4f79fa9d70ee530d73b1104e930cfe2

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks