hancitor | 5c02107df5183c09261e0ce58e2ad73e68442bc3280924eb2786384a1429a007

Analysis

Target

5c02107df5183c09261e0ce58e2ad73e68442bc3280924eb2786384a1429a007.dll
Size

396KB
MD5

a719b7f1fb27224ae86ddaffe28604cc
SHA1

03cc556ac4180bcddf189d189f2455d6b66cafee
SHA256

5c02107df5183c09261e0ce58e2ad73e68442bc3280924eb2786384a1429a007
SHA512

51f1a45fdf262f1d43bd8329eeea658c0fd04c57ac13d9448291d0b3198d4f226b1d00b2431b2f717c53609abe62bcd4679ca295951bbc93da9b3b1429ec78d9

Score

10^/10

Family

hancitor

Botnet

0312_89324

http://bandieve.com/8/forum.php

http://decturnearrips.ru/8/forum.php

http://looduchavens.ru/8/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4000	rundll32.exe
4000	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4000	3096	rundll32.exe	56
PID 3096 wrote to memory of 4000	3096	rundll32.exe	56
PID 3096 wrote to memory of 4000	3096	rundll32.exe	56

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c02107df5183c09261e0ce58e2ad73e68442bc3280924eb2786384a1429a007.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c02107df5183c09261e0ce58e2ad73e68442bc3280924eb2786384a1429a007.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4000

memory/4000-130-0x0000000003060000-0x0000000003068000-memory.dmp

Filesize
32KB

Download
memory/4000-131-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/4000-132-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/4000-133-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/4000-134-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/4000-135-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/4000-136-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/4000-137-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/4000-138-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download