General

  • Target

    0329_2016740009605.doc

  • Size

    711KB

  • Sample

    210329-zzwsp394f2

  • MD5

    9c6bdac4a903bc77f49e33ab6eecd6e9

  • SHA1

    f25d69049ea9565797b802fe648cbe2f0296dcaa

  • SHA256

    1668b12e57562e9cd331af6f4ae0ce029079f66ae38a1e70384574199e64cb91

  • SHA512

    f3dcfe86a9690673b4851caa11e5380fe60f85d817bb4718bc2cc96b99ffea4f7d7312260889eebb8bf30d279cc0427f0389ded65ca888ae1ff38c711bfaeb94

Malware Config

Extracted

Family

hancitor

Botnet

2903_21387h

C2

http://probassita.com/8/forum.php

http://frobenalini.ru/8/forum.php

http://proubleblecilm.ru/8/forum.php

Targets

    • Target

      0329_2016740009605.doc

    • Size

      711KB

    • MD5

      9c6bdac4a903bc77f49e33ab6eecd6e9

    • SHA1

      f25d69049ea9565797b802fe648cbe2f0296dcaa

    • SHA256

      1668b12e57562e9cd331af6f4ae0ce029079f66ae38a1e70384574199e64cb91

    • SHA512

      f3dcfe86a9690673b4851caa11e5380fe60f85d817bb4718bc2cc96b99ffea4f7d7312260889eebb8bf30d279cc0427f0389ded65ca888ae1ff38c711bfaeb94

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks