Overview

overview

10

Static

static

8

vir.doc

windows7_x64

4

vir.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vir.doc

  • Size

    417KB

  • Sample

    211029-neacqshhdm

  • MD5

    ba23c4970aa9c2de50bdf1b1e33bbadc

  • SHA1

    d51ee5f01cb47da056917564e8046cb41fc0e052

  • SHA256

    89885adcbb030fd0251b08cc401392e90d4ad948f6cfc68dda34472c455a8951

  • SHA512

    ec179c2b15d2db6190bb10867c407143d78adccb6bd920d83c083843eeb1bb47a11cb5c92a4a398ad04783fa2dd223009f462d01b9822ab51c05f70ebe654e30

Score
10/10
hancitordownloadermacromacro_on_actionsuricata

Malware Config

Targets

    • Target

      vir.doc

    • Size

      417KB

    • MD5

      ba23c4970aa9c2de50bdf1b1e33bbadc

    • SHA1

      d51ee5f01cb47da056917564e8046cb41fc0e052

    • SHA256

      89885adcbb030fd0251b08cc401392e90d4ad948f6cfc68dda34472c455a8951

    • SHA512

      ec179c2b15d2db6190bb10867c407143d78adccb6bd920d83c083843eeb1bb47a11cb5c92a4a398ad04783fa2dd223009f462d01b9822ab51c05f70ebe654e30

    Score
    10/10
    hancitordownloadersuricata

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin

      suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin

      suricata

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks