General
-
Target
852fac33454b5962bb82d928b4dbab741a4349de9c448fef5e629119b750d382
-
Size
223KB
-
Sample
220201-fznrvshcbj
-
MD5
c6b0d4984f1d5378b31f542a48ece9e3
-
SHA1
6f899217337f8d92aff9945d56f4d3b6e40b9f04
-
SHA256
852fac33454b5962bb82d928b4dbab741a4349de9c448fef5e629119b750d382
-
SHA512
16df240f49fc4a8ab03dc0645ffacb31d6a51d3b8f51f58ec3a4b3103f5756070856edf27610077a1cec2c932345704d88aa6974cb8e563e9bcf2b5613929c42
Static task
static1
Behavioral task
behavioral1
Sample
WA152864246308.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
WA152864246308.vbs
Resource
win10v2004-en-20220113
Malware Config
Extracted
hancitor
0903_7832478324
http://thumbeks.com/4/forum.php
http://cludions.com/4/forum.php
http://othasidka.com/4/forum.php
Targets
-
-
Target
WA152864246308.vbs
-
Size
1.1MB
-
MD5
5d639feb66501c3f96353a61e95413a7
-
SHA1
9c851ecb06e46ffafa829616cfcdb96e935fcc0f
-
SHA256
ccc1b5f6dfcdfa6a84a2c6d7edf38886cfd1135e279c3147effb0963fee3bb1b
-
SHA512
0c919c63eff3896fdd57b8fc7a3576a58388df94f139176f45d487b84f4b93d40d94640d40762b45340bb9219f845d5d68c0b07b4ba8c70eeb913ebb928e3cf6
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
-
Sets service image path in registry
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-