hancitor | 5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8

General

Target

5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe
Size

211KB
MD5

4327ed1671deb9f1b0169cf10680840a
SHA1

b4015aa7d5579097378d0477903511397b04f007
SHA256

5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8
SHA512

76fe1c172a7afa578df1d93975689accb1e52d2279c02a2ebbcd7c374acdf79fbf34aad7e5d89d968477853fabcf745f5b767282605ab93a02ea71d2a6b7cc39

Score

10^/10

hancitor exp_14 downloader persistence suricata

Malware Config

Extracted

Family

hancitor

Botnet

exp_14

C2

http://spetandserilic.com/4/forum.php

http://theithyosavele.ru/4/forum.php

http://imetionfachoul.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata

Executes dropped EXE 1 IoCs

pid	Process
656	WinHost32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinHost32 = "C:\\Windows\\System32\\WinHost32.exe"	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHost32.exe	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2396	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe
2396	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe
656	WinHost32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 656	2396	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe	70
PID 2396 wrote to memory of 656	2396	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe	70
PID 2396 wrote to memory of 656	2396	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe	70
PID 2396 wrote to memory of 1252	2396	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe	71
PID 2396 wrote to memory of 1252	2396	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe	71
PID 2396 wrote to memory of 1252	2396	5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe	71

C:\Users\Admin\AppData\Local\Temp\5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe
"C:\Users\Admin\AppData\Local\Temp\5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WinHost32.exe
  C:\Windows\System32\WinHost32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:656
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8.exe >> NUL
  2⤵
  PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/656-123-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2396-121-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/2396-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing