hancitor | 9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa | Triage

Submit
Reports

Overview

overview

Static

static

8

9532743ba2...fa.doc

windows7_x64

4

9532743ba2...fa.doc

windows10-2004_x64

Sharing

General

Target

9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa
Size

322KB
Sample

220131-vhe6qaafd7
MD5

4ca02d884e80c7333257d762e6964805
SHA1

85c47af2826ab8979b09df68a1ff5a7cb35fed42
SHA256

9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa
SHA512

e40819c9090c793644bfb52bba15ba346a20bbd2027dcd1e02935433777f8a3c8dc15dce278514ca024b35f559399b82d0419a390c674bcf7d93a463f1907980

Score

10^/10

hancitor 1609_dkytr downloader macro macro_on_action persistence

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa.doc

Resource

win7-en-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa.doc

Resource

win10v2004-en-20220112

hancitor 1609_dkytr downloader persistence

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

hancitor

Botnet

1609_dkytr

C2

http://plivatecez.com/8/forum.php

http://agarreaters.ru/8/forum.php

http://weratiands.ru/8/forum.php

Targets

- Target
  
  9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa
- Size
  
  322KB
- MD5
  
  4ca02d884e80c7333257d762e6964805
- SHA1
  
  85c47af2826ab8979b09df68a1ff5a7cb35fed42
- SHA256
  
  9532743ba2305e568e69d5086a05da30436b30be733548c4d28222bfa9f456fa
- SHA512
  
  e40819c9090c793644bfb52bba15ba346a20bbd2027dcd1e02935433777f8a3c8dc15dce278514ca024b35f559399b82d0419a390c674bcf7d93a463f1907980
Score

10^/10

hancitor 1609_dkytr downloader persistence
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

hancitor1609_dkytrdownloaderpersistence

© 2018-2025

Terms | Privacy