hancitor | e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9

Analysis

Target

e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9.dll
Size

396KB
MD5

394beefcf36a6e88ba35ea5252dec78f
SHA1

99810c8afc8a87603abaa4cac610cde14c9c4c10
SHA256

e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9
SHA512

503ec76dd5937a9180c31caac98805def521bd3c7be1f3717f27b54a9a77436a2b170168de77f5043a4925a763fb09a25a74b4c929105acab3a56c25c272ac82

Score

10^/10

Family

hancitor

Botnet

0312_89324

http://bandieve.com/8/forum.php

http://decturnearrips.ru/8/forum.php

http://looduchavens.ru/8/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Blocklisted process makes network request 1 IoCs

flow	pid	Process
38	940	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
940	rundll32.exe
940	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 940	2924	rundll32.exe	79
PID 2924 wrote to memory of 940	2924	rundll32.exe	79
PID 2924 wrote to memory of 940	2924	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:940

memory/940-130-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/940-131-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-132-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-133-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-134-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-135-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-136-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-137-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-138-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-139-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-140-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-141-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-142-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/940-143-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download