hancitor | e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb

General

Target

e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe
Size

28KB
MD5

c5a1ef322041b6fe4e680423dcbb828b
SHA1

d903a7b75bfa71945b052f51533c13d33c6b3d62
SHA256

e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb
SHA512

60a02e429fa59477d180d794c2067da0665af8baf7453d0818d49cc1b340abbcb590b0f04ae50d503d7db423bb19ccd717ce59d433fc7945259dce975866231e

Score

10^/10

hancitor exp_14 downloader persistence

Malware Config

Extracted

Family

hancitor

Botnet

exp_14

C2

http://spetandserilic.com/4/forum.php

http://theithyosavele.ru/4/forum.php

http://imetionfachoul.ru/4/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Executes dropped EXE 1 IoCs

pid	Process
1796	WinHost32.exe

Deletes itself 1 IoCs

pid	Process
1164	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinHost32 = "C:\\Windows\\System32\\WinHost32.exe"	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHost32.exe	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe
1796	WinHost32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1796	1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe	27
PID 1592 wrote to memory of 1796	1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe	27
PID 1592 wrote to memory of 1796	1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe	27
PID 1592 wrote to memory of 1796	1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe	27
PID 1592 wrote to memory of 1164	1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe	29
PID 1592 wrote to memory of 1164	1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe	29
PID 1592 wrote to memory of 1164	1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe	29
PID 1592 wrote to memory of 1164	1592	e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe	29

C:\Users\Admin\AppData\Local\Temp\e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe
"C:\Users\Admin\AppData\Local\Temp\e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\WinHost32.exe
  C:\Windows\System32\WinHost32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\e37509a2e31bf0c61750e42c8b4997647d97008fea5a5d35cc5e6142a6c2c9cb.exe >> NUL
  2⤵
  - Deletes itself
  PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-59-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing