Overview

overview

10

Static

static

8

18cf2e39ef...da.doc

windows7_x64

10

18cf2e39ef...da.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    18cf2e39efca29316e84dab1be885a77c600c40d6bb65cd016b6de9d3fd0a6da

  • Size

    461KB

  • Sample

    220305-zka21aahek

  • MD5

    dcc62d1c27043d6ecededefd5dec8fa2

  • SHA1

    203bbea4dfd1ad3f91c5a177dfbb84d8f3235f09

  • SHA256

    18cf2e39efca29316e84dab1be885a77c600c40d6bb65cd016b6de9d3fd0a6da

  • SHA512

    6b5a957bdad86e5efc4ecc916b314dd190873d2d77af2560bde6f660785588c054857b983c7243c6f54b3990729916bfc1dc96f042ec37e2429574c04a418939

Score
10/10
hancitor1901_48re93downloadermacromacro_on_action

Malware Config

Extracted

Family

hancitor

Botnet

1901_48re93

C2

http://opulteme.com/8/forum.php

http://tharepirms.ru/8/forum.php

http://worteltiffee.ru/8/forum.php

Targets

    • Target

      18cf2e39efca29316e84dab1be885a77c600c40d6bb65cd016b6de9d3fd0a6da

    • Size

      461KB

    • MD5

      dcc62d1c27043d6ecededefd5dec8fa2

    • SHA1

      203bbea4dfd1ad3f91c5a177dfbb84d8f3235f09

    • SHA256

      18cf2e39efca29316e84dab1be885a77c600c40d6bb65cd016b6de9d3fd0a6da

    • SHA512

      6b5a957bdad86e5efc4ecc916b314dd190873d2d77af2560bde6f660785588c054857b983c7243c6f54b3990729916bfc1dc96f042ec37e2429574c04a418939

    Score
    10/10
    hancitor1901_48re93downloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks