hancitor | 81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218

General

Target

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe
Size

521KB
MD5

6daad96aa8bb3a1dd6de3e17e37e4d04
SHA1

5974bbf965584a1a36c346710210bc4340f2e914
SHA256

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218
SHA512

5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324

Score

10^/10

hancitor 1410_7_qw downloader persistence

Malware Config

Extracted

Family

hancitor

Botnet

1410_7_qw

C2

http://iverspriturs.com/7/forum.php

http://chormetdendu.ru/7/forum.php

http://appinrelifle.ru/7/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Executes dropped EXE 1 IoCs

Processes:

WinHost32.exe

pid	Process
2024	WinHost32.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1532	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

pid	Process
1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe
1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinHost32 = "C:\\Windows\\System32\\WinHost32.exe"	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHost32.exe	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exeWinHost32.exe

pid	Process
1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe
2024	WinHost32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe

description	pid	Process	procid_target
PID 1108 wrote to memory of 2024	1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	28
PID 1108 wrote to memory of 2024	1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	28
PID 1108 wrote to memory of 2024	1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	28
PID 1108 wrote to memory of 2024	1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	28
PID 1108 wrote to memory of 1532	1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	29
PID 1108 wrote to memory of 1532	1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	29
PID 1108 wrote to memory of 1532	1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	29
PID 1108 wrote to memory of 1532	1108	81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe	29

C:\Users\Admin\AppData\Local\Temp\81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe
"C:\Users\Admin\AppData\Local\Temp\81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\WinHost32.exe
  C:\Windows\System32\WinHost32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218.exe >> NUL
  2⤵
  - Deletes itself
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WinHost32.exe

Filesize
521KB

MD5
6daad96aa8bb3a1dd6de3e17e37e4d04

SHA1
5974bbf965584a1a36c346710210bc4340f2e914

SHA256
81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218

SHA512
5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324

Download Submit
\Windows\SysWOW64\WinHost32.exe

Filesize
521KB

MD5
6daad96aa8bb3a1dd6de3e17e37e4d04

SHA1
5974bbf965584a1a36c346710210bc4340f2e914

SHA256
81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218

SHA512
5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324

Download Submit
\Windows\SysWOW64\WinHost32.exe

Filesize
521KB

MD5
6daad96aa8bb3a1dd6de3e17e37e4d04

SHA1
5974bbf965584a1a36c346710210bc4340f2e914

SHA256
81b23d07b580c16b60d35fcd4dc399313042394ad795f2241754ede59745b218

SHA512
5f4a042cb09bd0de477b69f19d832b58470de7328c79489ee953712c071acbac72fd0fc79f014f22f95d3173f2baea73e2086ab87c33898d6d709a3539b81324

Download Submit
memory/1108-54-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1108-55-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1108-62-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1532-61-0x0000000000000000-mapping.dmp

Download
memory/2024-58-0x0000000000000000-mapping.dmp

Download
memory/2024-63-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads