hancitor | 1f3f57156a64811fe649126af713fe0550d2b7089a1a16a239211289286418ed | Triage

Sharing

General

Target

1f3f57156a64811fe649126af713fe0550d2b7089a1a16a239211289286418ed
Size

446KB
Sample

220503-amka1sdca9
MD5

5d9d7915ae733016e1bc3fed44ac951a
SHA1

2e47a92c311665629e2a7de03a0094548a56511a
SHA256

1f3f57156a64811fe649126af713fe0550d2b7089a1a16a239211289286418ed
SHA512

015aea19d679782f4e957fff36352fb5c4570ca744c3f560e224445c48062dbb8f358ab058b989d68963407ed47220cd1552a7084020a04799f3e8adcd18f692

Score

10^/10

hancitor 1310_wing downloader persistence

Malware Config

Extracted

Family

hancitor

Botnet

1310_wing

C2

http://phercopar.com/4/forum.php

http://sjogetahit.ru/4/forum.php

http://netodughra.ru/4/forum.php

Targets

- Target
  
  1f3f57156a64811fe649126af713fe0550d2b7089a1a16a239211289286418ed
- Size
  
  446KB
- MD5
  
  5d9d7915ae733016e1bc3fed44ac951a
- SHA1
  
  2e47a92c311665629e2a7de03a0094548a56511a
- SHA256
  
  1f3f57156a64811fe649126af713fe0550d2b7089a1a16a239211289286418ed
- SHA512
  
  015aea19d679782f4e957fff36352fb5c4570ca744c3f560e224445c48062dbb8f358ab058b989d68963407ed47220cd1552a7084020a04799f3e8adcd18f692
Score

10^/10

hancitor 1310_wing downloader persistence
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitor1310_wingdownloaderpersistence

behavioral2

hancitor1310_wingdownloaderpersistence