General

  • Target

    Static.dll

  • Size

    210KB

  • Sample

    210318-2yghemf5b6

  • MD5

    5fcd9629a3bc7f926a3d8d7a514ffe83

  • SHA1

    55cd27de305b25e4920aaaecaf3e9ee536c27958

  • SHA256

    e8ae373908cc7039bf2be2adb93c650bd4b9c3f4ffa72a638c9ee38e2e5e9d26

  • SHA512

    19736add2e41a989237961fef64d79bec35583e875f51671d86a24eb96ba8d2a69963a79937cd978798a1a3a97573602ab1dff3b2e6c2b4b7e7c2393fff4def4

Malware Config

Extracted

Family

hancitor

Botnet

1503_kin1

C2

http://froursmonesed.com/8/forum.php

http://abouniteta.ru/8/forum.php

http://diverbsez.ru/8/forum.php

Targets

    • Target

      Static.dll

    • Size

      210KB

    • MD5

      5fcd9629a3bc7f926a3d8d7a514ffe83

    • SHA1

      55cd27de305b25e4920aaaecaf3e9ee536c27958

    • SHA256

      e8ae373908cc7039bf2be2adb93c650bd4b9c3f4ffa72a638c9ee38e2e5e9d26

    • SHA512

      19736add2e41a989237961fef64d79bec35583e875f51671d86a24eb96ba8d2a69963a79937cd978798a1a3a97573602ab1dff3b2e6c2b4b7e7c2393fff4def4

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks