General

  • Target

    121e2902c085cf41c9b9cddab5bf499da02b01f36ef999aa9aa8f7d818a884ac

  • Size

    717KB

  • Sample

    210322-4yfdq5947j

  • MD5

    c5792ce2154c652d9102fa4982dcfce3

  • SHA1

    32b5eaa378aa90610b40c88b3fbdace3f21b7021

  • SHA256

    121e2902c085cf41c9b9cddab5bf499da02b01f36ef999aa9aa8f7d818a884ac

  • SHA512

    b7cfd6246163a784bf94c214bd7e6bb01f458eb03e2eb7708803b2804adce83f9b8922354c2a89e38b02ef045132ff9294796348bda854c6a2fa45d7d1943f48

Malware Config

Extracted

Family

hancitor

Botnet

1503_kin1

C2

http://froursmonesed.com/8/forum.php

http://abouniteta.ru/8/forum.php

http://diverbsez.ru/8/forum.php

Targets

    • Target

      121e2902c085cf41c9b9cddab5bf499da02b01f36ef999aa9aa8f7d818a884ac

    • Size

      717KB

    • MD5

      c5792ce2154c652d9102fa4982dcfce3

    • SHA1

      32b5eaa378aa90610b40c88b3fbdace3f21b7021

    • SHA256

      121e2902c085cf41c9b9cddab5bf499da02b01f36ef999aa9aa8f7d818a884ac

    • SHA512

      b7cfd6246163a784bf94c214bd7e6bb01f458eb03e2eb7708803b2804adce83f9b8922354c2a89e38b02ef045132ff9294796348bda854c6a2fa45d7d1943f48

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks