hancitor | 5011dd0a26ca04555a12e570acb1143612ab95b975c42f21b2ae1b2bac0d213a

Analysis

Target

5011dd0a26ca04555a12e570acb1143612ab95b975c42f21b2ae1b2bac0d213a.dll
Size

194KB
MD5

4f9704564924daab2892d09c92bc0cf5
SHA1

3e5fdde184de1615d5e65cd52b97b114e2e21d20
SHA256

5011dd0a26ca04555a12e570acb1143612ab95b975c42f21b2ae1b2bac0d213a
SHA512

5005d33248e0ee31bf6d5a8661738a89d49f2b4b6d35dad5a6098a2bcb7a339ce61b823b3f1fffe856a20a3ccbd91d351cfed73c31639a544f2cd4592976a6fd

Score

10^/10

Family

hancitor

Botnet

2505_78324234

http://tiftecludinut.com/4/forum.php

http://denaduntelaz.ru/4/forum.php

http://ingerintake.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 704	1660	rundll32.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
704	svchost.exe
704	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1660	1512	rundll32.exe	28
PID 1512 wrote to memory of 1660	1512	rundll32.exe	28
PID 1512 wrote to memory of 1660	1512	rundll32.exe	28
PID 1512 wrote to memory of 1660	1512	rundll32.exe	28
PID 1512 wrote to memory of 1660	1512	rundll32.exe	28
PID 1512 wrote to memory of 1660	1512	rundll32.exe	28
PID 1512 wrote to memory of 1660	1512	rundll32.exe	28
PID 1660 wrote to memory of 704	1660	rundll32.exe	29
PID 1660 wrote to memory of 704	1660	rundll32.exe	29
PID 1660 wrote to memory of 704	1660	rundll32.exe	29
PID 1660 wrote to memory of 704	1660	rundll32.exe	29
PID 1660 wrote to memory of 704	1660	rundll32.exe	29
PID 1660 wrote to memory of 704	1660	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5011dd0a26ca04555a12e570acb1143612ab95b975c42f21b2ae1b2bac0d213a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5011dd0a26ca04555a12e570acb1143612ab95b975c42f21b2ae1b2bac0d213a.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:704

memory/704-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/704-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/704-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/704-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1660-55-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1660-63-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download