hancitor | 5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8 | Triage

Sharing

General

Target

5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8
Size

211KB
Sample

211020-r9e39aaahn
MD5

4327ed1671deb9f1b0169cf10680840a
SHA1

b4015aa7d5579097378d0477903511397b04f007
SHA256

5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8
SHA512

76fe1c172a7afa578df1d93975689accb1e52d2279c02a2ebbcd7c374acdf79fbf34aad7e5d89d968477853fabcf745f5b767282605ab93a02ea71d2a6b7cc39

Score

10^/10

hancitor exp_14 downloader persistence suricata

Malware Config

Extracted

Family

hancitor

Botnet

exp_14

C2

http://spetandserilic.com/4/forum.php

http://theithyosavele.ru/4/forum.php

http://imetionfachoul.ru/4/forum.php

Targets

- Target
  
  5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8
- Size
  
  211KB
- MD5
  
  4327ed1671deb9f1b0169cf10680840a
- SHA1
  
  b4015aa7d5579097378d0477903511397b04f007
- SHA256
  
  5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8
- SHA512
  
  76fe1c172a7afa578df1d93975689accb1e52d2279c02a2ebbcd7c374acdf79fbf34aad7e5d89d968477853fabcf745f5b767282605ab93a02ea71d2a6b7cc39
Score

10^/10

hancitor exp_14 downloader persistence suricata
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
  suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
  suricata
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitorexp_14downloaderpersistencesuricata