hancitor | ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8

Analysis

Target

ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8.dll
Size

108KB
MD5

d668b501a15c545b8eb1daaa74376aba
SHA1

8ae3879a74aa507eaa8bf3b25f45b973c979b588
SHA256

ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8
SHA512

54e5fa3768880ede13780001c7d6c449f2eb34f6b075e714dc2c3b2c50056e9de5565396f1ada119cac1eabc26cc912eb15f3cc65ae2b1302afd6c519ddd08b8

Score

10^/10

Family

hancitor

Botnet

2110_21378

http://keramenzakt.com/4/forum.php

http://linglentelevox.ru/4/forum.php

http://mdistellerryck.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 364 set thread context of 1740	364	rundll32.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid	Process
1740	svchost.exe
1740	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 336 wrote to memory of 364	336	rundll32.exe	15
PID 336 wrote to memory of 364	336	rundll32.exe	15
PID 336 wrote to memory of 364	336	rundll32.exe	15
PID 336 wrote to memory of 364	336	rundll32.exe	15
PID 336 wrote to memory of 364	336	rundll32.exe	15
PID 336 wrote to memory of 364	336	rundll32.exe	15
PID 336 wrote to memory of 364	336	rundll32.exe	15
PID 364 wrote to memory of 1740	364	rundll32.exe	29
PID 364 wrote to memory of 1740	364	rundll32.exe	29
PID 364 wrote to memory of 1740	364	rundll32.exe	29
PID 364 wrote to memory of 1740	364	rundll32.exe	29
PID 364 wrote to memory of 1740	364	rundll32.exe	29
PID 364 wrote to memory of 1740	364	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1740

memory/364-54-0x0000000000000000-mapping.dmp

Download
memory/364-55-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/364-56-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download
memory/364-61-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/364-63-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/1740-60-0x0000000000402960-mapping.dmp

Download
memory/1740-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1740-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1740-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1740-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download