General

  • Target

    wininit.dll

  • Size

    617KB

  • Sample

    210408-t1j52kzc6j

  • MD5

    9b33f2c41c7458ebd406d3a9a9e25907

  • SHA1

    9146dd7ba53d03b51c0d5fe8057de577a7a21190

  • SHA256

    796cf06c724edaf7dc746a560d77ccf0ca39972849137cae8a95be13786956a3

  • SHA512

    7e243551bbbf3fbcbfd07b684691b045420a28a748ee74cbfd9a1aa5934bf2153f20c29a582e65a2da6d9a45515c72c7b150a520cef76daa6226364f1c853847

Malware Config

Extracted

Family

hancitor

Botnet

0804_cifp

C2

http://lerevahel.com/8/forum.php

http://lerevahel.ru/8/forum.php

http://metatussi.ru/8/forum.php

Targets

    • Target

      wininit.dll

    • Size

      617KB

    • MD5

      9b33f2c41c7458ebd406d3a9a9e25907

    • SHA1

      9146dd7ba53d03b51c0d5fe8057de577a7a21190

    • SHA256

      796cf06c724edaf7dc746a560d77ccf0ca39972849137cae8a95be13786956a3

    • SHA512

      7e243551bbbf3fbcbfd07b684691b045420a28a748ee74cbfd9a1aa5934bf2153f20c29a582e65a2da6d9a45515c72c7b150a520cef76daa6226364f1c853847

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks