hancitor | 776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21

Analysis

Target

776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21.dll
Size

55KB
MD5

91790a088f4b19c2b1f46dc0b7ffdf10
SHA1

30c1df818dbd511dcff4d5a2ca8d66ea53e12941
SHA256

776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21
SHA512

b6a15a8a0434c6ca82b1ef8fb5369e59218f9f187f8a105f129c2d0f59bbc683e06b6628c0c5884ce12dd4c6660cfedc724fce00151b031ad108b735e55ed7bc

Score

10^/10

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata

Blocklisted process makes network request 3 IoCs

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3116	2884	rundll32.exe	69
PID 2884 wrote to memory of 3116	2884	rundll32.exe	69
PID 2884 wrote to memory of 3116	2884	rundll32.exe	69

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:3116