Overview

overview

10

Static

static

8

1123_406173806433.doc

windows7_x64

4

1123_406173806433.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1123_406173806433.doc

  • Size

    892KB

  • Sample

    211123-v5qwqsead6

  • MD5

    b8f16928c8996da3b1b8446367e0250f

  • SHA1

    dd48ef35e2a43da6b50f8e67b82ee1ca40042892

  • SHA256

    b062dd8f8c46cb010cf562145e9a2836f5625f41af329e87ca2bbdc2fd05435d

  • SHA512

    a19bdadc690d31c92c8a13e7d8fc81dda61c917afbccab7c162f6c7826100f2eed31710cccee51b7b0f786f3318c577a15f2d9b918590391a7a3e49cce7c6e48

Score
10/10
hancitor2311_nsdirdownloadermacromacro_on_action

Malware Config

Extracted

Family

hancitor

Botnet

2311_nsdir

C2

http://templogio.com/9/forum.php

http://johommeract.ru/9/forum.php

http://amesibiquand.ru/9/forum.php

Targets

    • Target

      1123_406173806433.doc

    • Size

      892KB

    • MD5

      b8f16928c8996da3b1b8446367e0250f

    • SHA1

      dd48ef35e2a43da6b50f8e67b82ee1ca40042892

    • SHA256

      b062dd8f8c46cb010cf562145e9a2836f5625f41af329e87ca2bbdc2fd05435d

    • SHA512

      a19bdadc690d31c92c8a13e7d8fc81dda61c917afbccab7c162f6c7826100f2eed31710cccee51b7b0f786f3318c577a15f2d9b918590391a7a3e49cce7c6e48

    Score
    10/10
    hancitor2311_nsdirdownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks