hancitor | b1646a1969fa9d03485671ca4d50dd89f6263179310881fa4b3e3580a4e02da9

Analysis

Target

gelforr.dap.dll
Size

324KB
MD5

86f065892d619ff64bcafe30290bad4f
SHA1

ecfa5f0449880220759369098cc76ca3ba0d8501
SHA256

b1646a1969fa9d03485671ca4d50dd89f6263179310881fa4b3e3580a4e02da9
SHA512

52c35644ee385a6ed40a0a336fd8423326dae24472ce85b702facb3ad451ed9210ea33e31cab9d240d6ef359556bf8b7b7e32fe19b272762ef5ab5dd2b846ade

Score

10^/10

Family

hancitor

Botnet

2610_cxe

http://ottedince.com/8/forum.php

http://indiscort.ru/8/forum.php

http://tremilline.ru/8/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	528	rundll32.exe
7	528	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
528	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 528	772	rundll32.exe	28
PID 772 wrote to memory of 528	772	rundll32.exe	28
PID 772 wrote to memory of 528	772	rundll32.exe	28
PID 772 wrote to memory of 528	772	rundll32.exe	28
PID 772 wrote to memory of 528	772	rundll32.exe	28
PID 772 wrote to memory of 528	772	rundll32.exe	28
PID 772 wrote to memory of 528	772	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\gelforr.dap.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\gelforr.dap.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:528

memory/528-55-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/528-56-0x0000000074DB0000-0x0000000074E17000-memory.dmp

Filesize
412KB

Download
memory/528-57-0x0000000074DB0000-0x0000000074DB8000-memory.dmp

Filesize
32KB

Download
memory/528-58-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download