General

  • Target

    0330_2122365705060.doc

  • Size

    768KB

  • Sample

    210330-8dd9vts2mn

  • MD5

    f7c344bf8006c4ba061178469aec80ae

  • SHA1

    742b6aa480ed934100ad744117d728ced097b926

  • SHA256

    082d843c9c9610aa0ef139c34e5780e90c51e314b3fb156a5e2f7dfea00b92af

  • SHA512

    b3f20011abd56e6fa7cd26e0d16cceefac5b19536bcd2fee72b518c29bdf4831ab437c34fe0825eeb34aa6548ced30ddb1ee9aa16aa9572df8b1b7926a51dfb0

Malware Config

Extracted

Family

hancitor

Botnet

3003_verio

C2

http://stionicksilid.com/8/forum.php

http://succupenous.ru/8/forum.php

http://cappiasstising.ru/8/forum.php

Targets

    • Target

      0330_2122365705060.doc

    • Size

      768KB

    • MD5

      f7c344bf8006c4ba061178469aec80ae

    • SHA1

      742b6aa480ed934100ad744117d728ced097b926

    • SHA256

      082d843c9c9610aa0ef139c34e5780e90c51e314b3fb156a5e2f7dfea00b92af

    • SHA512

      b3f20011abd56e6fa7cd26e0d16cceefac5b19536bcd2fee72b518c29bdf4831ab437c34fe0825eeb34aa6548ced30ddb1ee9aa16aa9572df8b1b7926a51dfb0

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks