General

  • Target

    0318_85826668285221.doc

  • Size

    717KB

  • Sample

    210318-c7fh6a3ccs

  • MD5

    504afcedfccc2caf7e2bd9a440bbe566

  • SHA1

    5c1a66a82e6f8e4eee4d10354f678c9a794c9a89

  • SHA256

    ec501de74ba3d126a14b1d1b09a33cb70e184c28f395e84149fe01fc8041a366

  • SHA512

    edbd112480a29d93644f7a2672d7bd288985bdea333545d6eafbbf108df4f65b108f3106c806f8a7fcbfc17f00a9a32f505e182cf3eb1c38f6ee9da69fc16e9c

Malware Config

Extracted

Family

hancitor

Botnet

1503_kin1

C2

http://froursmonesed.com/8/forum.php

http://abouniteta.ru/8/forum.php

http://diverbsez.ru/8/forum.php

Targets

    • Target

      0318_85826668285221.doc

    • Size

      717KB

    • MD5

      504afcedfccc2caf7e2bd9a440bbe566

    • SHA1

      5c1a66a82e6f8e4eee4d10354f678c9a794c9a89

    • SHA256

      ec501de74ba3d126a14b1d1b09a33cb70e184c28f395e84149fe01fc8041a366

    • SHA512

      edbd112480a29d93644f7a2672d7bd288985bdea333545d6eafbbf108df4f65b108f3106c806f8a7fcbfc17f00a9a32f505e182cf3eb1c38f6ee9da69fc16e9c

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks