Overview

overview

10

Static

static

8

20210817_1...75.doc

windows7_x64

4

20210817_1...75.doc

windows10_x64

10

20210817_1...10.doc

windows7_x64

4

20210817_1...10.doc

windows10_x64

10

20210817_1...31.doc

windows7_x64

4

20210817_1...31.doc

windows10_x64

10

20210817_1...80.doc

windows7_x64

4

20210817_1...80.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hans_20210817.zip

  • Size

    2.9MB

  • Sample

    210817-e1frs9eg9x

  • MD5

    76c30d2b3a88e669c9dd0e5690e1b050

  • SHA1

    4f3e7e7f99fc6db8062a96f29744d665d505e926

  • SHA256

    975cecc2ec93898a5d0a9fcc9c57ed8bb335271530c140e8e2ae4ca5f176f06f

  • SHA512

    e7d7905e8213f69b5cc022ca48196816dd24bc42098a5bf6e13d86a758cdae2fdd959367d9bea5ea528196342950834115edcbc4feb5164d78432130be585208

Score
10/10
hancitor1608_febddownloadermacromacro_on_action

Malware Config

Extracted

Family

hancitor

Botnet

1608_febd

C2

http://patiennerrhe.com/8/forum.php

http://thougolograrly.ru/8/forum.php

http://chopprousite.ru/8/forum.php

Targets

    • Target

      20210817_153735_9b8b946ac5d46b4648f63890d4da5cec9b9413d116cb3c5ec2646d490225ffd9_0817_1625158575.doc

    • Size

      837KB

    • MD5

      4b46e8622355d01db7079cab35105162

    • SHA1

      c403c4bd39f636784a5a7e61ac0107785f927324

    • SHA256

      9b8b946ac5d46b4648f63890d4da5cec9b9413d116cb3c5ec2646d490225ffd9

    • SHA512

      f2c2178c5755fb4d2ea1d6acfeb84b09b12ca3ef84dd81c5bfaaf203f753c6333ead16589e7290e7715effca207ea016545596fced708bed7ae077a93ffa38cb

    Score
    10/10
    hancitor1608_febddownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      20210817_154154_1dbbafce55a19e7946895e941ff89874813a85a25ccd91840f358af181cf26a1_0817_6576604010.doc

    • Size

      837KB

    • MD5

      9a954d5ff68f5f008ae31a511868b901

    • SHA1

      5b2bdf49c95c6fe464511967cbc9fe4481ce5b2a

    • SHA256

      1dbbafce55a19e7946895e941ff89874813a85a25ccd91840f358af181cf26a1

    • SHA512

      482c1409afc191a64d47502a52d2d2fc877bfa935ce1d63a0a259c23b92c29bd418cc2e00d45471c0b656a239714690ee3de9f1b71be41100213d23703c76b48

    Score
    10/10
    hancitor1608_febddownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      20210817_154832_74338b71619799a6e5df0bd8b40817ca89dacaf09bf5d4d2108be8509d4d71bc_0817_0378100231.doc

    • Size

      837KB

    • MD5

      2e40dd4bf39e7e0b4b17f56581646c62

    • SHA1

      49122c3d2d5a09604af8f99524a5f5327be4b30a

    • SHA256

      74338b71619799a6e5df0bd8b40817ca89dacaf09bf5d4d2108be8509d4d71bc

    • SHA512

      14a5fc6bfb1785bf5f1e7fc98feee8187e8fbbdca4b8092f15f888d5248740ccb6e1c743456da27dc6e5d1f857f59ab0f07c8af5e01c3d983c6157d2719619bf

    Score
    10/10
    hancitor1608_febddownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

    • Target

      20210817_160744_f34d0679122dd95e900f88283dad55b68727c77c337508e6c449a5073682df64_0817_2167548380.doc

    • Size

      837KB

    • MD5

      1c62c00b029f4246e2f63fbcb8c0ece7

    • SHA1

      3a4e6fa3e3378e123e462a725cb1ee2e91a14ae8

    • SHA256

      f34d0679122dd95e900f88283dad55b68727c77c337508e6c449a5073682df64

    • SHA512

      7ba3dbbb7280d6b415aa5a8341e98aa6bd2aac1e15bf5b00566aca206e18d153d21431631d6598db496c6fb60f0c4f2f221b42aca9303f79e92eb0eb2c3c54c2

    Score
    10/10
    hancitor1608_febddownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

8
T1012

System Information Discovery

8
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks