Overview

overview

10

Static

static

8

TopjQOYSxpfdTGMA.doc

windows7_x64

4

TopjQOYSxpfdTGMA.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TopjQOYSxpfdTGMA.doc

  • Size

    943KB

  • Sample

    220328-wn8kwshcdj

  • MD5

    45a45e8755d528a77314b2be258614df

  • SHA1

    ac76e90a575865376c80a06c9f445110ff9e8819

  • SHA256

    36167dcde57f9a12723e0af7f9ea7aba88dd8cc1bdd74b62df1f86aa9d2ba925

  • SHA512

    47e687de6504ae5ec5eee0f1012c20c7b8cfc35f0efd203718b2c87160c1523087268a50a9a5b7177431325d79da8f7e247f4d5bb4e0dadcd14d5e9c960c0b2a

Score
10/10
hancitor2103_punoshdownloadermacromacro_on_actionsuricata

Malware Config

Extracted

Family

hancitor

Botnet

2103_punosh

C2

http://nanogeelr.com/9/forum.php

http://ockpitehou.ru/9/forum.php

http://lumentsawfu.ru/9/forum.php

Targets

    • Target

      TopjQOYSxpfdTGMA.doc

    • Size

      943KB

    • MD5

      45a45e8755d528a77314b2be258614df

    • SHA1

      ac76e90a575865376c80a06c9f445110ff9e8819

    • SHA256

      36167dcde57f9a12723e0af7f9ea7aba88dd8cc1bdd74b62df1f86aa9d2ba925

    • SHA512

      47e687de6504ae5ec5eee0f1012c20c7b8cfc35f0efd203718b2c87160c1523087268a50a9a5b7177431325d79da8f7e247f4d5bb4e0dadcd14d5e9c960c0b2a

    Score
    10/10
    hancitor2103_punoshdownloadersuricata

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Suspected Win32/Hancitor Checkin

      suricata: ET MALWARE Suspected Win32/Hancitor Checkin

      suricata

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks