Overview

overview

10

Static

static

8

1103_788528522604.doc

windows7_x64

4

1103_788528522604.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1103_788528522604.doc

  • Size

    575KB

  • Sample

    211103-x7vntabgcn

  • MD5

    ee6533a8f2332056197ad12ca7c945dc

  • SHA1

    569ea04796550cf0f8811e2a5aad4b9d1552aefe

  • SHA256

    915ea807cdf10ea4a4912377d7c688a527d0e91c7777d811b171d2960b75c65c

  • SHA512

    814432933d2ebb3aa4fc1bf7294ba786c852079ba96c68f7509c8594bc174aa2b0308e7d0fa4e6a3be2ac911905f5d31e4d7a98b64ea2e803fe2ab01860ba64f

Score
10/10
hancitor0211_ponxwedownloadermacromacro_on_actionsuricata

Malware Config

Extracted

Family

hancitor

Botnet

0211_ponxwe

C2

http://mettlybothe.com/8/forum.php

http://herstrairzoj.ru/8/forum.php

http://allonsetkes.ru/8/forum.php

Targets

    • Target

      1103_788528522604.doc

    • Size

      575KB

    • MD5

      ee6533a8f2332056197ad12ca7c945dc

    • SHA1

      569ea04796550cf0f8811e2a5aad4b9d1552aefe

    • SHA256

      915ea807cdf10ea4a4912377d7c688a527d0e91c7777d811b171d2960b75c65c

    • SHA512

      814432933d2ebb3aa4fc1bf7294ba786c852079ba96c68f7509c8594bc174aa2b0308e7d0fa4e6a3be2ac911905f5d31e4d7a98b64ea2e803fe2ab01860ba64f

    Score
    10/10
    hancitor0211_ponxwedownloadersuricata

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin

      suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin

      suricata

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks