hancitor | ea5dac3b13b5b4024882c9ae3adac9eff592e15260c1302e02cbc9e9839d4dd0

Analysis

Target

ea5dac3b13b5b4024882c9ae3adac9eff592e15260c1302e02cbc9e9839d4dd0.dll
Size

25KB
MD5

88e26129167d71f629fc07d16ef5c98b
SHA1

124024b22b0d9c2b7aee4a61524c0b30bc628d3c
SHA256

ea5dac3b13b5b4024882c9ae3adac9eff592e15260c1302e02cbc9e9839d4dd0
SHA512

a6997cd09e799633b34c713453a6f95dccde09607aef3d741365417f09a1d08d3fc84baddbc4df4d55e47ca89e047d834d41a3118d6d212346282f9bea42938e

Score

10^/10

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata

Blocklisted process makes network request 3 IoCs

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2824	2780	rundll32.exe	68
PID 2780 wrote to memory of 2824	2780	rundll32.exe	68
PID 2780 wrote to memory of 2824	2780	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ea5dac3b13b5b4024882c9ae3adac9eff592e15260c1302e02cbc9e9839d4dd0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ea5dac3b13b5b4024882c9ae3adac9eff592e15260c1302e02cbc9e9839d4dd0.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2824