hancitor | b1646a1969fa9d03485671ca4d50dd89f6263179310881fa4b3e3580a4e02da9

Analysis

Target

triage_dropped_file.dll
Size

324KB
MD5

86f065892d619ff64bcafe30290bad4f
SHA1

ecfa5f0449880220759369098cc76ca3ba0d8501
SHA256

b1646a1969fa9d03485671ca4d50dd89f6263179310881fa4b3e3580a4e02da9
SHA512

52c35644ee385a6ed40a0a336fd8423326dae24472ce85b702facb3ad451ed9210ea33e31cab9d240d6ef359556bf8b7b7e32fe19b272762ef5ab5dd2b846ade

Score

10^/10

Family

hancitor

Botnet

2610_cxe

http://ottedince.com/8/forum.php

http://indiscort.ru/8/forum.php

http://tremilline.ru/8/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Blocklisted process makes network request 3 IoCs

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	api.ipify.org

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2700	2660	rundll32.exe	68
PID 2660 wrote to memory of 2700	2660	rundll32.exe	68
PID 2660 wrote to memory of 2700	2660	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

memory/2700-116-0x0000000073A60000-0x0000000073AC7000-memory.dmp

Filesize
412KB

Download
memory/2700-117-0x0000000073A60000-0x0000000073A68000-memory.dmp

Filesize
32KB

Download
memory/2700-118-0x0000000002820000-0x000000000296A000-memory.dmp

Filesize
1.3MB

Download