Overview

overview

10

Static

static

8

1b4fa8201c...a2.doc

windows7_x64

4

1b4fa8201c...a2.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1b4fa8201cd3810458494b53b12405a2.doc

  • Size

    892KB

  • Sample

    211123-yyvg5abber

  • MD5

    1b4fa8201cd3810458494b53b12405a2

  • SHA1

    77fa859cab2f5509ac367ff753475bd3744f0d77

  • SHA256

    bcdcf1ec9bf276c3e6ea441e64ff91fe836857fc49c0c97b672adc0a64aa6873

  • SHA512

    ffa139281f0f019ddf4b74963fe47421e0edbff781c9b941938d3bb2eacc8f92b63c328bcbd745201cef221f3536e2b09b122cf3baa423127d2ba122304c9fd7

Score
10/10
hancitor2311_nsdirdownloadermacromacro_on_action

Malware Config

Extracted

Family

hancitor

Botnet

2311_nsdir

C2

http://templogio.com/9/forum.php

http://johommeract.ru/9/forum.php

http://amesibiquand.ru/9/forum.php

Targets

    • Target

      1b4fa8201cd3810458494b53b12405a2.doc

    • Size

      892KB

    • MD5

      1b4fa8201cd3810458494b53b12405a2

    • SHA1

      77fa859cab2f5509ac367ff753475bd3744f0d77

    • SHA256

      bcdcf1ec9bf276c3e6ea441e64ff91fe836857fc49c0c97b672adc0a64aa6873

    • SHA512

      ffa139281f0f019ddf4b74963fe47421e0edbff781c9b941938d3bb2eacc8f92b63c328bcbd745201cef221f3536e2b09b122cf3baa423127d2ba122304c9fd7

    Score
    10/10
    hancitor2311_nsdirdownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks