hancitor | bd768d902abb211edf805fddc926ad87287a770c70ac62475ad4f25d1f314d39 | Triage

Submit
Reports

Overview

overview

Static

static

8

0217_17370...81.doc

windows7_x64

0217_17370...81.doc

windows10_x64

Sharing

General

Target

0217_1737094153981.doc
Size

391KB
Sample

210217-ptzk38dak2
MD5

df3d7fcf63c6fd0c482d88aed6eecb1d
SHA1

b790953f90ac8af2d7db4ce6454f451e809aab77
SHA256

bd768d902abb211edf805fddc926ad87287a770c70ac62475ad4f25d1f314d39
SHA512

80a3f01ed294f549621ce0c2a5a09bc1b86adcdb7e3ab5a98064020de923fb9e022f490c5bb4dde5f5214fbc00749bab033311be5b45201795c0716c434c685d

Score

10^/10

hancitor 1702_pro23 downloader macro macro_on_action spyware xlm

Static task

static1

macro xlm macro_on_action

Behavioral task

behavioral1

Sample

0217_1737094153981.doc

Resource

win7v20201028

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

0217_1737094153981.doc

Resource

win10v20201028

hancitor 1702_pro23 downloader spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

hancitor

Botnet

1702_pro23

C2

http://hatuderefer.com/8/forum.php

http://thavelede.ru/8/forum.php

http://zinsubtal.ru/8/forum.php

Targets

- Target
  
  0217_1737094153981.doc
- Size
  
  391KB
- MD5
  
  df3d7fcf63c6fd0c482d88aed6eecb1d
- SHA1
  
  b790953f90ac8af2d7db4ce6454f451e809aab77
- SHA256
  
  bd768d902abb211edf805fddc926ad87287a770c70ac62475ad4f25d1f314d39
- SHA512
  
  80a3f01ed294f549621ce0c2a5a09bc1b86adcdb7e3ab5a98064020de923fb9e022f490c5bb4dde5f5214fbc00749bab033311be5b45201795c0716c434c685d
Score

10^/10

hancitor 1702_pro23 downloader spyware
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

macroxlmmacro_on_action

behavioral1

behavioral2

hancitor1702_pro23downloaderspyware

© 2018-2024

Terms | Privacy