Overview

overview

10

Static

static

8

d60f4f05c4...36.doc

windows7_x64

4

d60f4f05c4...36.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d60f4f05c48c778ad9434ea64f0c83e9202d38ef8e1d9fb4502bff6aeac24f36

  • Size

    521KB

  • Sample

    220131-s7tdjahffl

  • MD5

    e1bfd913888da72cd36d8f559efb5a30

  • SHA1

    2ff8795fbc06d5323f018a6279f9d75ef4c65048

  • SHA256

    d60f4f05c48c778ad9434ea64f0c83e9202d38ef8e1d9fb4502bff6aeac24f36

  • SHA512

    f2552838061d8fec4b88df40d171b95b3339d6fcc62c60389064ccfc63c72441aef461441e5fff0529301553c75ed85d3d586fa2d9184ee29c3d80db691142a0

Score
10/10
hancitor0709_baxc7downloadermacromacro_on_actionpersistence

Malware Config

Extracted

Family

hancitor

Botnet

0709_baxc7

C2

http://takitrisexp.ru/8/forum.php

http://olocratim.ru/8/forum.php

http://kedaeclas.ru/8/forum.php

Targets

    • Target

      d60f4f05c48c778ad9434ea64f0c83e9202d38ef8e1d9fb4502bff6aeac24f36

    • Size

      521KB

    • MD5

      e1bfd913888da72cd36d8f559efb5a30

    • SHA1

      2ff8795fbc06d5323f018a6279f9d75ef4c65048

    • SHA256

      d60f4f05c48c778ad9434ea64f0c83e9202d38ef8e1d9fb4502bff6aeac24f36

    • SHA512

      f2552838061d8fec4b88df40d171b95b3339d6fcc62c60389064ccfc63c72441aef461441e5fff0529301553c75ed85d3d586fa2d9184ee29c3d80db691142a0

    Score
    10/10
    hancitor0709_baxc7downloaderpersistence

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Sets service image path in registry

      persistence

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks