hancitor | 852fac33454b5962bb82d928b4dbab741a4349de9c448fef5e629119b750d382 | Triage

Submit
Reports

Overview

overview

Static

static

WA152864246308.vbs

windows7_x64

WA152864246308.vbs

windows10-2004_x64

Sharing

General

Target

852fac33454b5962bb82d928b4dbab741a4349de9c448fef5e629119b750d382
Size

223KB
Sample

220201-fznrvshcbj
MD5

c6b0d4984f1d5378b31f542a48ece9e3
SHA1

6f899217337f8d92aff9945d56f4d3b6e40b9f04
SHA256

852fac33454b5962bb82d928b4dbab741a4349de9c448fef5e629119b750d382
SHA512

16df240f49fc4a8ab03dc0645ffacb31d6a51d3b8f51f58ec3a4b3103f5756070856edf27610077a1cec2c932345704d88aa6974cb8e563e9bcf2b5613929c42

Score

10^/10

hancitor 0903_7832478324 downloader persistence suricata

Static task

static1

Behavioral task

behavioral1

Sample

WA152864246308.vbs

Resource

win7-en-20211208

hancitor 0903_7832478324 downloader suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

WA152864246308.vbs

Resource

win10v2004-en-20220113

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

hancitor

Botnet

0903_7832478324

C2

http://thumbeks.com/4/forum.php

http://cludions.com/4/forum.php

http://othasidka.com/4/forum.php

Targets

- Target
  
  WA152864246308.vbs
- Size
  
  1.1MB
- MD5
  
  5d639feb66501c3f96353a61e95413a7
- SHA1
  
  9c851ecb06e46ffafa829616cfcdb96e935fcc0f
- SHA256
  
  ccc1b5f6dfcdfa6a84a2c6d7edf38886cfd1135e279c3147effb0963fee3bb1b
- SHA512
  
  0c919c63eff3896fdd57b8fc7a3576a58388df94f139176f45d487b84f4b93d40d94640d40762b45340bb9219f845d5d68c0b07b4ba8c70eeb913ebb928e3cf6
Score

10^/10

hancitor 0903_7832478324 downloader suricata persistence
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
  suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
  suricata
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hancitor0903_7832478324downloadersuricata

behavioral2

© 2018-2024

Terms | Privacy