Overview

overview

10

Static

static

8

1027_5313688312.doc

windows7_x64

4

1027_5313688312.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1027_5313688312.doc

  • Size

    416KB

  • Sample

    211027-rszrbsfah3

  • MD5

    6f057a4843cdde3b2f75246d14abeb54

  • SHA1

    b3b37a0a0cde7d2be0d7102ce0e78291f759024b

  • SHA256

    1d58434e3eb83b310f0cc2626b7a17dd7a0ff298e74744efb5c612e1d8daa678

  • SHA512

    a0ca28f84164bfd40a1a305c4a18fbd92ea6af14ac05d38c77d418f9b9001407ece9740a3bad05ec369227f91b7781be13a0f4983811b3bc148d4e2497beb5e2

Score
10/10
hancitordownloadermacromacro_on_action

Malware Config

Targets

    • Target

      1027_5313688312.doc

    • Size

      416KB

    • MD5

      6f057a4843cdde3b2f75246d14abeb54

    • SHA1

      b3b37a0a0cde7d2be0d7102ce0e78291f759024b

    • SHA256

      1d58434e3eb83b310f0cc2626b7a17dd7a0ff298e74744efb5c612e1d8daa678

    • SHA512

      a0ca28f84164bfd40a1a305c4a18fbd92ea6af14ac05d38c77d418f9b9001407ece9740a3bad05ec369227f91b7781be13a0f4983811b3bc148d4e2497beb5e2

    Score
    10/10
    hancitordownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks