hancitor | 12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b | Triage

Sharing

General

Target

12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b
Size

280KB
Sample

220201-j57npsbdan
MD5

18ed9dca690e7588a6f12f2eeab3921a
SHA1

2151775b62efb39e75ee1ad883c47c60d4b3c145
SHA256

12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b
SHA512

1c828f67ffa0c292990769ed167d8988e1708ce429e54939a0d6506a646cb16b82e7ee77678ccb64cba1c1f918203fd3643c9f8b8c1fe98c58a14e7b7203e5af

Score

10^/10

hancitor 1203_4893743248 downloader persistence

Malware Config

Extracted

Family

hancitor

Botnet

1203_4893743248

C2

http://bralibuda.com/4/forum.php

http://greferezud.com/4/forum.php

http://deraelous.com/4/forum.php

Targets

- Target
  
  12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b
- Size
  
  280KB
- MD5
  
  18ed9dca690e7588a6f12f2eeab3921a
- SHA1
  
  2151775b62efb39e75ee1ad883c47c60d4b3c145
- SHA256
  
  12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b
- SHA512
  
  1c828f67ffa0c292990769ed167d8988e1708ce429e54939a0d6506a646cb16b82e7ee77678ccb64cba1c1f918203fd3643c9f8b8c1fe98c58a14e7b7203e5af
Score

10^/10

hancitor 1203_4893743248 downloader persistence
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Sets service image path in registry
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitor1203_4893743248downloader

behavioral2