General

  • Target

    0329_31702491610050.doc

  • Size

    711KB

  • Sample

    210329-51tt1x8c5e

  • MD5

    7e9402735c332840efc616153d5fb9ec

  • SHA1

    92399604632aec4e3b96e170d94dee0429fe5450

  • SHA256

    e8341c02f9f21286e9fbfcc847aeff6afc8c11c67979e3a5da692e8cacaa1b74

  • SHA512

    434c738386f20c9e383234c945a402cd710bf0dc525c3e09134084f61f8d98ce45b7ed89153f2a8ae557773b74fb2ed06514b7c6a4aa010ba86d2ca6b2b1e37f

Malware Config

Extracted

Family

hancitor

Botnet

2903_21387h

C2

http://probassita.com/8/forum.php

http://frobenalini.ru/8/forum.php

http://proubleblecilm.ru/8/forum.php

Targets

    • Target

      0329_31702491610050.doc

    • Size

      711KB

    • MD5

      7e9402735c332840efc616153d5fb9ec

    • SHA1

      92399604632aec4e3b96e170d94dee0429fe5450

    • SHA256

      e8341c02f9f21286e9fbfcc847aeff6afc8c11c67979e3a5da692e8cacaa1b74

    • SHA512

      434c738386f20c9e383234c945a402cd710bf0dc525c3e09134084f61f8d98ce45b7ed89153f2a8ae557773b74fb2ed06514b7c6a4aa010ba86d2ca6b2b1e37f

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks