General

  • Target

    0318_98323640085061.doc

  • Size

    717KB

  • Sample

    210318-ec2xrdmmls

  • MD5

    ed8d3539a3e027ec713cb7eddbb0dcf6

  • SHA1

    5253b7e09168b17bc8bfd7938e6ee054f5b5bb59

  • SHA256

    1d11fee370ab3997737f58df6f80162981c24b61266d0818036d257e7217bbb9

  • SHA512

    7de42950bdb4c6d60ecdd1814432c284d304437294c5b77188767937b7381d6ba2d002a6bcbab3eac44e8516a25b8e21fcc221bc88baa0e4a2d6eb641ca965af

Malware Config

Extracted

Family

hancitor

Botnet

1503_kin1

C2

http://froursmonesed.com/8/forum.php

http://abouniteta.ru/8/forum.php

http://diverbsez.ru/8/forum.php

Targets

    • Target

      0318_98323640085061.doc

    • Size

      717KB

    • MD5

      ed8d3539a3e027ec713cb7eddbb0dcf6

    • SHA1

      5253b7e09168b17bc8bfd7938e6ee054f5b5bb59

    • SHA256

      1d11fee370ab3997737f58df6f80162981c24b61266d0818036d257e7217bbb9

    • SHA512

      7de42950bdb4c6d60ecdd1814432c284d304437294c5b77188767937b7381d6ba2d002a6bcbab3eac44e8516a25b8e21fcc221bc88baa0e4a2d6eb641ca965af

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks