hancitor | ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8

Analysis

Target

ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8.dll
Size

108KB
MD5

d668b501a15c545b8eb1daaa74376aba
SHA1

8ae3879a74aa507eaa8bf3b25f45b973c979b588
SHA256

ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8
SHA512

54e5fa3768880ede13780001c7d6c449f2eb34f6b075e714dc2c3b2c50056e9de5565396f1ada119cac1eabc26cc912eb15f3cc65ae2b1302afd6c519ddd08b8

Score

10^/10

Family

hancitor

Botnet

2110_21378

http://keramenzakt.com/4/forum.php

http://linglentelevox.ru/4/forum.php

http://mdistellerryck.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 4372 set thread context of 4104	4372	rundll32.exe	80

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 1996 wrote to memory of 4372	1996	rundll32.exe	79
PID 1996 wrote to memory of 4372	1996	rundll32.exe	79
PID 1996 wrote to memory of 4372	1996	rundll32.exe	79
PID 4372 wrote to memory of 4104	4372	rundll32.exe	80
PID 4372 wrote to memory of 4104	4372	rundll32.exe	80
PID 4372 wrote to memory of 4104	4372	rundll32.exe	80
PID 4372 wrote to memory of 4104	4372	rundll32.exe	80
PID 4372 wrote to memory of 4104	4372	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce2570dda3b92d0adfadfe00ee18302e98a0b9611ca1043954290961cd2fe8a8.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4104

memory/4104-132-0x0000000000000000-mapping.dmp

Download
memory/4104-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4104-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4104-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4372-130-0x0000000000000000-mapping.dmp

Download
memory/4372-131-0x0000000000B70000-0x0000000000BFD000-memory.dmp

Filesize
564KB

Download
memory/4372-136-0x0000000000B70000-0x0000000000BFD000-memory.dmp

Filesize
564KB

Download