Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

0304_56958375050481.doc
Size

743KB
Sample

210304-vdgj4lxnv6
MD5

7ba91fe733a2b27af2c602525151305d
SHA1

0c4f2f591db5e0bd0ce580649582f818a9da5179
SHA256

e9e50934dd76164022730125fc00cbe2467afd6e234d2c4873273d4bc6acafe8
SHA512

9d524efdcb0744e3a8b3bf13b234d8e9f595354ad3d143177e2da3ad9248122d403d596e38fa5055150eecc5866257c2f90bf6fdb9309acd5c67321b480ca4aa

Score

10^/10

hancitor 0403_nores34 downloader

Malware Config

Extracted

Family

hancitor

Botnet

0403_nores34

C2

http://throsesspeotte.com/8/forum.php

http://imilifeesinci.ru/8/forum.php

http://publearysuc.ru/8/forum.php

Targets

- Target
  
  0304_56958375050481.doc
- Size
  
  743KB
- MD5
  
  7ba91fe733a2b27af2c602525151305d
- SHA1
  
  0c4f2f591db5e0bd0ce580649582f818a9da5179
- SHA256
  
  e9e50934dd76164022730125fc00cbe2467afd6e234d2c4873273d4bc6acafe8
- SHA512
  
  9d524efdcb0744e3a8b3bf13b234d8e9f595354ad3d143177e2da3ad9248122d403d596e38fa5055150eecc5866257c2f90bf6fdb9309acd5c67321b480ca4aa
Score

10^/10

hancitor 0403_nores34 downloader
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

behavioral2

hancitor0403_nores34downloader