General
-
Target
hans_20210817.zip
-
Size
26.1MB
-
Sample
210817-7l873k3yas
-
MD5
7a29b938f7ea85f8558fc893c2e91faa
-
SHA1
c4b7f2ec17c6ee9fd79dc60259a0978bd13a5245
-
SHA256
78c2f5742629c2638d0bee0e19f4fb260f48c497e60a3ef0edde72167fc470ee
-
SHA512
a2aa86202c08b18698a1255f91c81caeafdffafcc61beaa1cfcee3461cb66a86de94d7b001f07e63ad4f20120c820d2c1e5a61481939bba13d6bbbec085c1304
Malware Config
Extracted
hancitor
1608_febd
http://patiennerrhe.com/8/forum.php
http://thougolograrly.ru/8/forum.php
http://chopprousite.ru/8/forum.php
Targets
-
-
Target
20210817_161101_7605280b9cca220cad82ac993c8e8b1abdd4a82b7f7673520e28c4fab34cca98_0817_1486111107.doc
-
Size
837KB
-
MD5
200ad6d9bc1aa7939fb3dbb5e7983633
-
SHA1
e917a6ce3438e5fb6c63d9ab5ca65c428abb6933
-
SHA256
7605280b9cca220cad82ac993c8e8b1abdd4a82b7f7673520e28c4fab34cca98
-
SHA512
c510bf5eb6a6a66681ece5d31c61031c417c77782ea915feb7e5cbbbd6d201ac109f08278f1edbcff93cc3e3819a36329083ef0b416bc31c00be12a41543e34c
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_161759_9a60f668ec44fbde462bb97f702514914de98149d20f5e90b39b0f39c4acc80e_0817_5437727510.doc
-
Size
837KB
-
MD5
3c16a9c34262ccfbdc7ed7f396a25749
-
SHA1
8e52fafb0612e164c3b9ee3b20b64b07d7307fa3
-
SHA256
9a60f668ec44fbde462bb97f702514914de98149d20f5e90b39b0f39c4acc80e
-
SHA512
aa238254acdf7066bc2d0ebae608c7d27ba30d92cb61e2adc303f92ed6efb2291ce9f2991e0277dc3337ed48c741d2a32cfb954c6f7323eebaf59c16848a8c30
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_161853_03b754420f96d6c12bd6f04ac20aaba0ecd429f72e4bc30346fbbb515b8e291d_0817_5185561062.doc
-
Size
837KB
-
MD5
cf23a48792979e7c44956ee2cc296a22
-
SHA1
ac0d56f1c4f3b1d4cdb0b4dfb601b2457350bc7b
-
SHA256
03b754420f96d6c12bd6f04ac20aaba0ecd429f72e4bc30346fbbb515b8e291d
-
SHA512
a03a5b86655318327ce69cc87d2ab90e00dd4a997605627a45f5e3ca45928990de47bc4130a394071bbed56fdaf585ef71bac6616b382c339a8b54dae27f9aa5
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_162140_8388f1b18e81483d28dcf14804cd8f6e34da51301cff2637cdacc1973d5b5dae_0817_2747311523.doc
-
Size
837KB
-
MD5
cc90a4e2b487ea7885c2b375d0580ac0
-
SHA1
dbb233958073de02b88a51f72f00b684db63363b
-
SHA256
8388f1b18e81483d28dcf14804cd8f6e34da51301cff2637cdacc1973d5b5dae
-
SHA512
b4ec349dabbaf32c93d9c596d99ea4e25aa4c90f31d5eaed9d29d35ffa72c55f9862f4aa486e3a3075e16920c5092934c8ebbe00b620d573d629cb44b5c509ff
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_162620_3e06fc4cc0eef88afd81670142072e3f9f38310181d4ace3fd8bd6eaf83768c6_0817_2852805272.doc
-
Size
837KB
-
MD5
ea4b8b06eb3e3045374db4e168d4f4a3
-
SHA1
bf69de18b5090f7712477cba41b3fec34bf650b0
-
SHA256
3e06fc4cc0eef88afd81670142072e3f9f38310181d4ace3fd8bd6eaf83768c6
-
SHA512
b23238ebbbf6d7c78044f69a523e3506c05abaece11c2cda24ea7bc3c49f62bc49a137c4cdbae12ae303ab615a4e8a7b71988e6f3b0ae4e8e34a9e21b0aeb206
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_162918_10f2f8684a0b879e96aa11a06b30b2a3c6bbf4dbd2eb1ca1cc1e9a35ff305248_0817_3071048832.doc
-
Size
837KB
-
MD5
e0b287b1851765c7f0629a048efd0ba0
-
SHA1
e08eff4df3cb10eddeb9d73e97252814646e94d7
-
SHA256
10f2f8684a0b879e96aa11a06b30b2a3c6bbf4dbd2eb1ca1cc1e9a35ff305248
-
SHA512
b946117f4ce0463200024f7b8ee5767c3bf0e83ca0f9d48cd352c7a4a06b9c35da95349e0b70de5265af26aa92e77cb4f9067434990dbbcd0372a57f8f8c7858
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_163317_093c1c48776d6a6b8b85d60f6306274f23e4926591bb2de9475242b02aabe202_0817_7731838305.doc
-
Size
837KB
-
MD5
0d109d23a22ce19d41a1be7c92a53971
-
SHA1
85b5ed0e694c0f03b13701a6316516274fc44aeb
-
SHA256
093c1c48776d6a6b8b85d60f6306274f23e4926591bb2de9475242b02aabe202
-
SHA512
71fb04adc003070c54baaddb0e0499d06e3a05b70f51ae32feadb3fed72589903d4bef3759c8d7c05e10074c8bac3e716669aa45eb8b99212921214003ef4425
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_163323_3ec0b163dffdee59d891091fb85af87fef75cf064f4fe774a1139fffbcf8ed62_0817_5868520063.doc
-
Size
837KB
-
MD5
d8b9b8941fe60213a118fe088805916e
-
SHA1
1b3568231db39ae07e20a45e78bb4793ef170093
-
SHA256
3ec0b163dffdee59d891091fb85af87fef75cf064f4fe774a1139fffbcf8ed62
-
SHA512
120569897cb4b94fa03df4ff772059704a8eaf33de28829cf756e9b9902663d9afc7de5a90e0622e964c2e059bb18e4052280f8bdd44370434e6c9dcad65b4d4
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_163816_1d84998540e0c57a0e97459cfe426eace7c29af3a8b63914a0d718a6a4d7cce2_0817_3241763624.doc
-
Size
837KB
-
MD5
ed2b1da8be7d137c7d26f8624f6f546f
-
SHA1
7374b1db74ec3b1957078c724b1a846f56a3932b
-
SHA256
1d84998540e0c57a0e97459cfe426eace7c29af3a8b63914a0d718a6a4d7cce2
-
SHA512
d71d6472257f29b9af0b96490f9320d23d5d4371c378c97bee4cafd375e3568a67bc3934fd6aed7a9b2c4f2dc93fd18c7fe501918d28f096ae4d9c6a3ede7621
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_164105_67468f98d61b877833c3dbb691973c263c8d6a4f6799575b961f92f0c2026b03_0817_2446481575.doc
-
Size
837KB
-
MD5
7c4bb5aeef15db1008e0219728d9d6ec
-
SHA1
ffb91b0b89168d3779380a8e65aa03bbdfac86bf
-
SHA256
67468f98d61b877833c3dbb691973c263c8d6a4f6799575b961f92f0c2026b03
-
SHA512
b6fefb1fcd5742caaf7e2eaa36abb01529dda1e42cca77a6ca414cc7aaa3c78392312ae9113d633a3d17780fc225c965e38fa5072c63956c54b1b225080bdfc1
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_164603_fef43a87ca8b757228b9618ff62671997016ef1ef7f2e4c2023bf7e76714c8ba_0817_4471757604.doc
-
Size
837KB
-
MD5
a114001b34e916b2372f4472079107f5
-
SHA1
fb24f72beeff59a05cb944d2f75d573134dfb5a3
-
SHA256
fef43a87ca8b757228b9618ff62671997016ef1ef7f2e4c2023bf7e76714c8ba
-
SHA512
3074f851f4e5e052286b6c37785780ca0247a4c0df98120f2fb841800ba0768c6b449a6c58a99790b6136bb22f4c5ee78b45243486ba0b151f542e32e5711dfb
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_164817_b856b423c9f7a5615973310b4a7041997a3981a9bd840827ff44a04429078ab7_0817_4832360670.doc
-
Size
837KB
-
MD5
2f678e8d11b81c09dccf4602cc086318
-
SHA1
f20ca08263de73d59e559955d7a7d6eb3c85ea68
-
SHA256
b856b423c9f7a5615973310b4a7041997a3981a9bd840827ff44a04429078ab7
-
SHA512
0ae9908b17d074ddec21c5fb12c747f4bf811f141042da461977b66f86f3675d48b6e89772a1a53665457262e772f83a279b8d5c8c2131dca21ea023ccf543a0
Score4/10 -
-
-
Target
20210817_165213_aa4f7ae3462c2250f78753f5665a711e0ba63573ff8caf21f7665190446d74c5_0817_0327624262.doc
-
Size
837KB
-
MD5
46706159a43db1e5a6dc1c65587284e8
-
SHA1
4e71bc38ce2be6df321f16646de2a0315c012fc5
-
SHA256
aa4f7ae3462c2250f78753f5665a711e0ba63573ff8caf21f7665190446d74c5
-
SHA512
bb344931da4ca2d430d10a507a4142f5e27854972b48ec7c95ef00c099acd6687ace4df80021b452dd83d1c90a2ea6ca65060acc24a9383e754086d631caf823
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_165358_46850df2cfbdf911fb1e363717ba7795462b54a01a1942b35f4260da53f259e1_0817_4180475288.doc
-
Size
837KB
-
MD5
02950bf1ad601ea14771758ce06ce99e
-
SHA1
871eeceda5ca6c165d4240beca5905e1c2e45c93
-
SHA256
46850df2cfbdf911fb1e363717ba7795462b54a01a1942b35f4260da53f259e1
-
SHA512
3a11d6bf4602c040191c07f97406f509f8d18d1d85a4b6923b513e9f75094382c48302b87bc0ec9406eaad4102df06f3c2e028b40804edff0e86d45f2f405703
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_165940_9166ec26ca0dbcca6e96649fd0d071cddb9392a5e8d555ed7004ec69637724c8_0817_0164773700.doc
-
Size
837KB
-
MD5
a06c2bd2c1f83ab74a09536ad094cb93
-
SHA1
59ca708d4c6751ba674de181170fbec5891d0f1b
-
SHA256
9166ec26ca0dbcca6e96649fd0d071cddb9392a5e8d555ed7004ec69637724c8
-
SHA512
5678fe5578bf742fa25b29ee7f6d919f8d34ddcf6768dee56f83fdb2cbd8a64d47e32f27627f6b542916e878d4e9ed7d5c71dc4d1a4a6df0ac102fae7422e856
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
20210817_170005_a903fcdfc615f1626a428b0a21fc7bc1fc49a1e15434dc5b031caf0323954c8b_0817_0182354287.doc
-
Size
837KB
-
MD5
198cd7865cd3524306f5df62f35e9f81
-
SHA1
647f73c8bb2ad51f5ed3852a3371c20635e3d2de
-
SHA256
a903fcdfc615f1626a428b0a21fc7bc1fc49a1e15434dc5b031caf0323954c8b
-
SHA512
6d4c32c14c4da59e6b2c86009bdc48ae08077354a4da73d64052c9fb1e10c40093efa06be8306d1a81b496ee69a8d2c9a4b5a0d2a45ce52099fa09d95df3f7fd
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-