hancitor | e52d446a99ecb9ca9f18365bab6f30e2cc1f6a97f668ea6ac38ce2a9b9ae3784

Analysis

Target

e52d446a99ecb9ca9f18365bab6f30e2cc1f6a97f668ea6ac38ce2a9b9ae3784.dll
Size

82KB
MD5

38739e8c8fc39b3ef8c25b996e4bfa74
SHA1

d0792a6b36960254216de3217887c914df633de1
SHA256

e52d446a99ecb9ca9f18365bab6f30e2cc1f6a97f668ea6ac38ce2a9b9ae3784
SHA512

cad0deafcb65e39e96bb0eeb50833dc56fcc4600348950c438c23f6504470c56f1098381f1202992cce3efcc989c5091574f634166460e2783c3d9201010ce3d

Score

10^/10

Family

hancitor

Botnet

0604_dl75789

http://ationsopors.com/4/forum.php

http://hoagoomde.com/4/forum.php

http://ardstiobek.com/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 1056	1108	rundll32.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1056	svchost.exe
1056	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1108	1080	rundll32.exe	27
PID 1080 wrote to memory of 1108	1080	rundll32.exe	27
PID 1080 wrote to memory of 1108	1080	rundll32.exe	27
PID 1080 wrote to memory of 1108	1080	rundll32.exe	27
PID 1080 wrote to memory of 1108	1080	rundll32.exe	27
PID 1080 wrote to memory of 1108	1080	rundll32.exe	27
PID 1080 wrote to memory of 1108	1080	rundll32.exe	27
PID 1108 wrote to memory of 1056	1108	rundll32.exe	28
PID 1108 wrote to memory of 1056	1108	rundll32.exe	28
PID 1108 wrote to memory of 1056	1108	rundll32.exe	28
PID 1108 wrote to memory of 1056	1108	rundll32.exe	28
PID 1108 wrote to memory of 1056	1108	rundll32.exe	28
PID 1108 wrote to memory of 1056	1108	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e52d446a99ecb9ca9f18365bab6f30e2cc1f6a97f668ea6ac38ce2a9b9ae3784.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e52d446a99ecb9ca9f18365bab6f30e2cc1f6a97f668ea6ac38ce2a9b9ae3784.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1056

memory/1056-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1056-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1056-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1108-55-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download
memory/1108-58-0x00000000000B0000-0x00000000000B9000-memory.dmp

Filesize
36KB

Download
memory/1108-59-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download