hancitor | e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9

General

Target

e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9.dll
Size

396KB
MD5

394beefcf36a6e88ba35ea5252dec78f
SHA1

99810c8afc8a87603abaa4cac610cde14c9c4c10
SHA256

e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9
SHA512

503ec76dd5937a9180c31caac98805def521bd3c7be1f3717f27b54a9a77436a2b170168de77f5043a4925a763fb09a25a74b4c929105acab3a56c25c272ac82

Score

10^/10

hancitor 0312_89324 downloader

Malware Config

Extracted

Family

hancitor

Botnet

0312_89324

C2

http://bandieve.com/8/forum.php

http://decturnearrips.ru/8/forum.php

http://looduchavens.ru/8/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1628	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1788	1628	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1628	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1628	1672	rundll32.exe	27
PID 1672 wrote to memory of 1628	1672	rundll32.exe	27
PID 1672 wrote to memory of 1628	1672	rundll32.exe	27
PID 1672 wrote to memory of 1628	1672	rundll32.exe	27
PID 1672 wrote to memory of 1628	1672	rundll32.exe	27
PID 1672 wrote to memory of 1628	1672	rundll32.exe	27
PID 1672 wrote to memory of 1628	1672	rundll32.exe	27
PID 1628 wrote to memory of 1788	1628	rundll32.exe	30
PID 1628 wrote to memory of 1788	1628	rundll32.exe	30
PID 1628 wrote to memory of 1788	1628	rundll32.exe	30
PID 1628 wrote to memory of 1788	1628	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 808
    3⤵
    - Program crash
    PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1628-56-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/1628-57-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-58-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-59-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-60-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-61-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-62-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-63-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-64-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-65-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-66-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-67-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-69-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-70-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/1628-71-0x0000000002170000-0x00000000021A5000-memory.dmp

Filesize
212KB

Download
memory/1628-72-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing