General

  • Target

    msals.dll

  • Size

    526KB

  • Sample

    210324-k7vsyj9tgx

  • MD5

    35f5c135418acf35a56983a8a95d4aa1

  • SHA1

    341ca3604c3dc9b0687a06b9b840c43bf80a0aa4

  • SHA256

    ec422ba6e146b500fd4c1972538418277a851cd7eaf38aaa2a893ad10e841faf

  • SHA512

    ba3f938808ed2104689a169fbe9573424d6b698156ae6d21c28d7826ecdd84256826d74d7463900538cf3bf3b90103968c006ce712ccd34ceca085e98f4fc98b

Malware Config

Extracted

Family

hancitor

Botnet

2203_78291

C2

http://tricilidiany.com/8/forum.php

http://intaticducalso.ru/8/forum.php

http://gloporiente.ru/8/forum.php

Targets

    • Target

      msals.dll

    • Size

      526KB

    • MD5

      35f5c135418acf35a56983a8a95d4aa1

    • SHA1

      341ca3604c3dc9b0687a06b9b840c43bf80a0aa4

    • SHA256

      ec422ba6e146b500fd4c1972538418277a851cd7eaf38aaa2a893ad10e841faf

    • SHA512

      ba3f938808ed2104689a169fbe9573424d6b698156ae6d21c28d7826ecdd84256826d74d7463900538cf3bf3b90103968c006ce712ccd34ceca085e98f4fc98b

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks