Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-11-2021 14:56
General
-
Target
gelfor.dap.dll
-
Size
696KB
-
MD5
522d9c5981133e496fb4d21ee2dc54a2
-
SHA1
2c0f7b0ba7c561cd65f02872fcaacef14663923b
-
SHA256
d83fbc9534957dd464cbc7cd2797d3041bd0d1a72b213b1ab7bccaec34359dbb
-
SHA512
10d336a68bafb412970318ed64fbba1c4387c0db34462eeb580d737877174d7afcd160c7017e8bae6db103bb88f370c18af95c457d286ab89ef55e2ab2a7dd15
Score
10/10
Malware Config
Extracted
Family
hancitor
Botnet
0211_ponxwe
C2
http://mettlybothe.com/8/forum.php
http://herstrairzoj.ru/8/forum.php
http://allonsetkes.ru/8/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gelfor.dap.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gelfor.dap.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
712KB
-
Filesize
28KB
-
Filesize
32KB
-
Filesize
32KB