hancitor | 36167dcde57f9a12723e0af7f9ea7aba88dd8cc1bdd74b62df1f86aa9d2ba925 | Triage

Submit
Reports

Overview

overview

Static

static

8

TopjQOYSxpfdTGMA.doc

windows7_x64

4

TopjQOYSxpfdTGMA.doc

windows10_x64

Sharing

General

Target

TopjQOYSxpfdTGMA.doc
Size

943KB
Sample

220328-wn8kwshcdj
MD5

45a45e8755d528a77314b2be258614df
SHA1

ac76e90a575865376c80a06c9f445110ff9e8819
SHA256

36167dcde57f9a12723e0af7f9ea7aba88dd8cc1bdd74b62df1f86aa9d2ba925
SHA512

47e687de6504ae5ec5eee0f1012c20c7b8cfc35f0efd203718b2c87160c1523087268a50a9a5b7177431325d79da8f7e247f4d5bb4e0dadcd14d5e9c960c0b2a

Score

10^/10

hancitor 2103_punosh downloader macro macro_on_action suricata

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

TopjQOYSxpfdTGMA.doc

Resource

win7-20220311-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

TopjQOYSxpfdTGMA.doc

Resource

win10-20220223-en

hancitor 2103_punosh downloader suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

hancitor

Botnet

2103_punosh

C2

http://nanogeelr.com/9/forum.php

http://ockpitehou.ru/9/forum.php

http://lumentsawfu.ru/9/forum.php

Targets

- Target
  
  TopjQOYSxpfdTGMA.doc
- Size
  
  943KB
- MD5
  
  45a45e8755d528a77314b2be258614df
- SHA1
  
  ac76e90a575865376c80a06c9f445110ff9e8819
- SHA256
  
  36167dcde57f9a12723e0af7f9ea7aba88dd8cc1bdd74b62df1f86aa9d2ba925
- SHA512
  
  47e687de6504ae5ec5eee0f1012c20c7b8cfc35f0efd203718b2c87160c1523087268a50a9a5b7177431325d79da8f7e247f4d5bb4e0dadcd14d5e9c960c0b2a
Score

10^/10

hancitor 2103_punosh downloader suricata
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE Suspected Win32/Hancitor Checkin
  suricata: ET MALWARE Suspected Win32/Hancitor Checkin
  suricata
- Blocklisted process makes network request
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

hancitor2103_punoshdownloadersuricata

© 2018-2024

Terms | Privacy