Overview

overview

10

Static

static

8

hancitor.dll.doc

windows7_x64

4

hancitor.dll.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hancitor.dll

  • Size

    893KB

  • Sample

    211123-tpjbaadge4

  • MD5

    10f35ddd335ecd684cecf96372aac468

  • SHA1

    942574b14f31d8f6fa53ba52362eb1d44ca68735

  • SHA256

    cf4adca8773145cf0a1d4ba32d555643442e14e9181ae8450bfb79ab86144914

  • SHA512

    126bcd8400f551a30f7b0ae5237a85de3df5fb9868d8d21e1e66dfe1fb5c9f1df3d3ccd4432cc59e34829c6f5658029a2487db084194b2697a5f669c1fcd512a

Score
10/10
hancitor2311_nsdirdownloadermacromacro_on_action

Malware Config

Extracted

Family

hancitor

Botnet

2311_nsdir

C2

http://templogio.com/9/forum.php

http://johommeract.ru/9/forum.php

http://amesibiquand.ru/9/forum.php

Targets

    • Target

      hancitor.dll

    • Size

      893KB

    • MD5

      10f35ddd335ecd684cecf96372aac468

    • SHA1

      942574b14f31d8f6fa53ba52362eb1d44ca68735

    • SHA256

      cf4adca8773145cf0a1d4ba32d555643442e14e9181ae8450bfb79ab86144914

    • SHA512

      126bcd8400f551a30f7b0ae5237a85de3df5fb9868d8d21e1e66dfe1fb5c9f1df3d3ccd4432cc59e34829c6f5658029a2487db084194b2697a5f669c1fcd512a

    Score
    10/10
    hancitor2311_nsdirdownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks