hancitor | abc91dfef90476ff6e3406b62b085ef1e84585aea3e9d80dbe3aa21597ff5995

Analysis

Target

if.bin.dll
Size

1.8MB
MD5

d90f5bb9e103ea6935e453a8bafe4a66
SHA1

20b37f0d541542925ae321a6350b64a04abaa3b2
SHA256

abc91dfef90476ff6e3406b62b085ef1e84585aea3e9d80dbe3aa21597ff5995
SHA512

f5be489c65295d22f70a101aff1a79cf6e9c01f0d3f00c1424a606e2d3c24c70d5eff79dac3cadfb9e5ebe4a1710dcb21e7536cde02a37e7b73b872e90b5fb88

Score

10^/10

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1096	rundll32.exe
7	1096	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1096	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1096	1724	rundll32.exe	27
PID 1724 wrote to memory of 1096	1724	rundll32.exe	27
PID 1724 wrote to memory of 1096	1724	rundll32.exe	27
PID 1724 wrote to memory of 1096	1724	rundll32.exe	27
PID 1724 wrote to memory of 1096	1724	rundll32.exe	27
PID 1724 wrote to memory of 1096	1724	rundll32.exe	27
PID 1724 wrote to memory of 1096	1724	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\if.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\if.bin.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1096

memory/1096-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download
memory/1096-55-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download