General

  • Target

    msals.dll

  • Size

    210KB

  • Sample

    210318-bqp5ka4jla

  • MD5

    180f00447097c0a22248bd0f8499c1f8

  • SHA1

    7a53bf2baadc6ae47b4ee7e2bd2c1d9e480f349f

  • SHA256

    008cef736fa8dd4458ceff73a8cdfcb0e2deb1ab4534fcae9f196b6577723121

  • SHA512

    84c465ebfb46df7d94cdf2f9ef50277ce9ead99bb5f843c4cae9ab9b5f43c1a9326e25d7c998d46b69b0fb46855c4af1879eed133e75d25ab5c3c4ffdd9d04a4

Malware Config

Extracted

Family

hancitor

Botnet

1503_kin1

C2

http://froursmonesed.com/8/forum.php

http://abouniteta.ru/8/forum.php

http://diverbsez.ru/8/forum.php

Targets

    • Target

      msals.dll

    • Size

      210KB

    • MD5

      180f00447097c0a22248bd0f8499c1f8

    • SHA1

      7a53bf2baadc6ae47b4ee7e2bd2c1d9e480f349f

    • SHA256

      008cef736fa8dd4458ceff73a8cdfcb0e2deb1ab4534fcae9f196b6577723121

    • SHA512

      84c465ebfb46df7d94cdf2f9ef50277ce9ead99bb5f843c4cae9ab9b5f43c1a9326e25d7c998d46b69b0fb46855c4af1879eed133e75d25ab5c3c4ffdd9d04a4

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks