General

  • Target

    0318_45657944978421.doc

  • Size

    717KB

  • Sample

    210318-pg7djaylyx

  • MD5

    a1ba6d313842fb0407fbe037ca84c5a2

  • SHA1

    af339e9a077fe9eef9dbdae2284e29d546ec2aca

  • SHA256

    ab80918fd8343507b3b5f1f2f8a1f128209601124ebb26b527bee6992989ea29

  • SHA512

    0f25b98ead300ae78093f8d1baaccb434e0d7b2ac082fa0d63fd994abca9d186b1752a4b7a11c8cd1068f81263b476f432ef10ca3831b847d062c8699060296b

Malware Config

Extracted

Family

hancitor

Botnet

1503_kin1

C2

http://froursmonesed.com/8/forum.php

http://abouniteta.ru/8/forum.php

http://diverbsez.ru/8/forum.php

Targets

    • Target

      0318_45657944978421.doc

    • Size

      717KB

    • MD5

      a1ba6d313842fb0407fbe037ca84c5a2

    • SHA1

      af339e9a077fe9eef9dbdae2284e29d546ec2aca

    • SHA256

      ab80918fd8343507b3b5f1f2f8a1f128209601124ebb26b527bee6992989ea29

    • SHA512

      0f25b98ead300ae78093f8d1baaccb434e0d7b2ac082fa0d63fd994abca9d186b1752a4b7a11c8cd1068f81263b476f432ef10ca3831b847d062c8699060296b

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks