General

  • Target

    0318_26520154690771.doc

  • Size

    717KB

  • Sample

    210321-aq3ggjkcf2

  • MD5

    5f8de66af1f6ae90063339dd9d526234

  • SHA1

    4bc1522707e2c5566710bd449f779da2c14ed4cf

  • SHA256

    9e9c65cb226ad216b5e47debceed0e541951e251b28ceeb2405423a0dceda602

  • SHA512

    be974bb2465a38b04254a16dcce73d1215bba94fa80ab628f084252227de69e14a81e9c4a68e2e760153ed3d24ba08314b8d57f5615f0370872e541844d457db

Malware Config

Extracted

Family

hancitor

Botnet

1503_kin1

C2

http://froursmonesed.com/8/forum.php

http://abouniteta.ru/8/forum.php

http://diverbsez.ru/8/forum.php

Targets

    • Target

      0318_26520154690771.doc

    • Size

      717KB

    • MD5

      5f8de66af1f6ae90063339dd9d526234

    • SHA1

      4bc1522707e2c5566710bd449f779da2c14ed4cf

    • SHA256

      9e9c65cb226ad216b5e47debceed0e541951e251b28ceeb2405423a0dceda602

    • SHA512

      be974bb2465a38b04254a16dcce73d1215bba94fa80ab628f084252227de69e14a81e9c4a68e2e760153ed3d24ba08314b8d57f5615f0370872e541844d457db

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks