General

  • Target

    Hs52qascx.dll

  • Size

    161KB

  • Sample

    210224-k3eqzx5qke

  • MD5

    d23d760f8ebdce2ba34acac664a22a62

  • SHA1

    38d8cabaeb4c9cb77e5e5ce401db1fd667a54fab

  • SHA256

    7fef24d7062d59cd58c5ca9f07eb70461754b3ce93273ca407f3acec2840253f

  • SHA512

    5dd68015e2a9e6e53b2e51eada68879c69cec3fbc8ca4dec49a4458f7ed4ffd36d16dbca7ec84f0b5a8444326bf1c061866fd19d69c032204cb7a0b66db84c69

Malware Config

Extracted

Family

hancitor

Botnet

2202_pro23

C2

http://aftereand.com/8/forum.php

http://nevemicies.ru/8/forum.php

http://froplivernat.ru/8/forum.php

Targets

    • Target

      Hs52qascx.dll

    • Size

      161KB

    • MD5

      d23d760f8ebdce2ba34acac664a22a62

    • SHA1

      38d8cabaeb4c9cb77e5e5ce401db1fd667a54fab

    • SHA256

      7fef24d7062d59cd58c5ca9f07eb70461754b3ce93273ca407f3acec2840253f

    • SHA512

      5dd68015e2a9e6e53b2e51eada68879c69cec3fbc8ca4dec49a4458f7ed4ffd36d16dbca7ec84f0b5a8444326bf1c061866fd19d69c032204cb7a0b66db84c69

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks