hancitor | 81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218 | Triage

Sharing

General

Target

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218
Size

521KB
Sample

220508-2n6n7acedp
MD5

6daad96aa8bb3a1dd6de3e17e37e4d04
SHA1

5974bbf965584a1a36c346710210bc4340f2e914
SHA256

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218
SHA512

5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324

Score

10^/10

hancitor 1410_7_qw downloader persistence

Malware Config

Extracted

Family

hancitor

Botnet

1410_7_qw

C2

http://iverspriturs.com/7/forum.php

http://chormetdendu.ru/7/forum.php

http://appinrelifle.ru/7/forum.php

Targets

- Target
  
  81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218
- Size
  
  521KB
- MD5
  
  6daad96aa8bb3a1dd6de3e17e37e4d04
- SHA1
  
  5974bbf965584a1a36c346710210bc4340f2e914
- SHA256
  
  81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218
- SHA512
  
  5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324
Score

10^/10

hancitor 1410_7_qw downloader persistence
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitor1410_7_qwdownloaderpersistence

behavioral2

hancitor1410_7_qwdownloaderpersistence