General

  • Target

    Ui12Poakf.t0mp

  • Size

    648KB

  • Sample

    210216-vbe2x2bg6a

  • MD5

    fce1d022cd3570459828982e6a101409

  • SHA1

    9f63b7667627bf861e17f39c313b2849b0d4d1d1

  • SHA256

    b1857c98c1d2ffec750c9f4b110cfa6f29289ad81bb2c622487f77eb98638288

  • SHA512

    0b6a0ee8c3110f9c2610bce6d8d1315db17790469814e3f2c57406f217a4709f124be37541971100138d87d72af8ee22fbbf951709bbac3c6c5a59fe3f4b81b5

Malware Config

Extracted

Family

hancitor

Botnet

1602_78210h

C2

http://eviddinlahal.com/8/forum.php

http://saisepsdrablis.ru/8/forum.php

http://obvionsweyband.ru/8/forum.php

Targets

    • Target

      Ui12Poakf.t0mp

    • Size

      648KB

    • MD5

      fce1d022cd3570459828982e6a101409

    • SHA1

      9f63b7667627bf861e17f39c313b2849b0d4d1d1

    • SHA256

      b1857c98c1d2ffec750c9f4b110cfa6f29289ad81bb2c622487f77eb98638288

    • SHA512

      0b6a0ee8c3110f9c2610bce6d8d1315db17790469814e3f2c57406f217a4709f124be37541971100138d87d72af8ee22fbbf951709bbac3c6c5a59fe3f4b81b5

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks