Overview

overview

10

Static

static

8

V3158D2199.doc

windows7_x64

4

V3158D2199.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    V3158D2199.doc

  • Size

    943KB

  • Sample

    220405-ga1kssaae5

  • MD5

    db770ed53fa4d80325dd5da9f9602445

  • SHA1

    e883d5e246841e2ca50c9f6b177d276fbdbcf903

  • SHA256

    543cdd57d5a93f18c0b357a04c191632aefa9c38e3bd6947ade49745307cf6a3

  • SHA512

    760f49ae2c2b3df620ee272ce06974b163ad9701c1810c6489b689a9d166f3699fbdd78a8a5ea14c09e1afe162c4a5c04b8c64e9247b4440b63f05a95b3b70f6

Score
10/10
hancitor2103_punoshdownloadermacromacro_on_action

Malware Config

Extracted

Family

hancitor

Botnet

2103_punosh

C2

http://nanogeelr.com/9/forum.php

http://ockpitehou.ru/9/forum.php

http://lumentsawfu.ru/9/forum.php

Targets

    • Target

      V3158D2199.doc

    • Size

      943KB

    • MD5

      db770ed53fa4d80325dd5da9f9602445

    • SHA1

      e883d5e246841e2ca50c9f6b177d276fbdbcf903

    • SHA256

      543cdd57d5a93f18c0b357a04c191632aefa9c38e3bd6947ade49745307cf6a3

    • SHA512

      760f49ae2c2b3df620ee272ce06974b163ad9701c1810c6489b689a9d166f3699fbdd78a8a5ea14c09e1afe162c4a5c04b8c64e9247b4440b63f05a95b3b70f6

    Score
    10/10
    hancitor2103_punoshdownloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks