hancitor | ce3b1bca503c703866945dc81edf9aca6988eb4183672a26f08cfbad3287b123 | Triage

Submit
Reports

Overview

overview

Static

static

8

1110_801396004406.doc

windows7_x64

4

1110_801396004406.doc

windows10_x64

Sharing

General

Target

1110_801396004406.doc
Size

522KB
Sample

211110-s4rqjaeecr
MD5

d25f2a1315e8f0cad8927fbf7b36b5c9
SHA1

8aa4bd92e2382bcf7f931e5b664355309631569c
SHA256

ce3b1bca503c703866945dc81edf9aca6988eb4183672a26f08cfbad3287b123
SHA512

e04a65752597808036639f947ae3adcfd7b5d9a1efe1732a44b9d4dbaa167bdab802303354380e8096fd2fbe60e035c0206e3d4f8dc3508e43b6f6a9e984755b

Score

10^/10

hancitor 0411_kdzm downloader macro macro_on_action suricata

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

1110_801396004406.doc

Resource

win7-en-20211104

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

1110_801396004406.doc

Resource

win10-en-20211104

hancitor 0411_kdzm downloader suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

hancitor

Botnet

0411_kdzm

C2

http://sucinenve.com/8/forum.php

http://foutpospaws.ru/8/forum.php

http://majoirtains.ru/8/forum.php

Targets

- Target
  
  1110_801396004406.doc
- Size
  
  522KB
- MD5
  
  d25f2a1315e8f0cad8927fbf7b36b5c9
- SHA1
  
  8aa4bd92e2382bcf7f931e5b664355309631569c
- SHA256
  
  ce3b1bca503c703866945dc81edf9aca6988eb4183672a26f08cfbad3287b123
- SHA512
  
  e04a65752597808036639f947ae3adcfd7b5d9a1efe1732a44b9d4dbaa167bdab802303354380e8096fd2fbe60e035c0206e3d4f8dc3508e43b6f6a9e984755b
Score

10^/10

hancitor 0411_kdzm downloader suricata
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
  suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
  suricata
- Blocklisted process makes network request
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

hancitor0411_kdzmdownloadersuricata

© 2018-2025

Terms | Privacy