General

  • Target

    478242a8c5aa052bcb10613dfffce2f728c845816603f628dae6623de9f9c1af.zip

  • Size

    707KB

  • Sample

    210330-wve9pfgaae

  • MD5

    92a9c1965328f6ae936a48195345e80e

  • SHA1

    d88547942403f1a25929dd16a27ddfef2ea5d23f

  • SHA256

    a9f3ac630cff56be1252ae6b33e1e7a506818668feaa6c169ce728ab2abb57f9

  • SHA512

    7523f4cb3054b8e92527e32c46aee098473260e8e43df012b14a5f45092c3be202befb59a59d0a2bba3c0b02fd4b4e23814ff7a285ffea6cd6e94f2d2e0bd59f

Malware Config

Extracted

Family

hancitor

Botnet

2903_21387h

C2

http://probassita.com/8/forum.php

http://frobenalini.ru/8/forum.php

http://proubleblecilm.ru/8/forum.php

Targets

    • Target

      478242a8c5aa052bcb10613dfffce2f728c845816603f628dae6623de9f9c1af

    • Size

      711KB

    • MD5

      cd23383155515a64ac8329129bf4ec1d

    • SHA1

      b03ec5e45db9ccb53682ed18fd318916ece2fa0f

    • SHA256

      478242a8c5aa052bcb10613dfffce2f728c845816603f628dae6623de9f9c1af

    • SHA512

      419c6316bbd2f9ca976e0e47ff0f18f4613b2fd48fb24926193ee7d7021f3c32f81b0e11f8d110d88dbee02cfd4c9d1f2294f88669c19613c261a4f02156f704

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks