hancitor | 291a4eb06358eca87fbc1f133ee162b6c532f4ec3e6f39c2646cde5de60e80f9

Analysis

Target

291a4eb06358eca87fbc1f133ee162b6c532f4ec3e6f39c2646cde5de60e80f9.dll
Size

248KB
MD5

6ad619702dad7c8fc1cefd3bc7967cf4
SHA1

b9fc56281283878f69513f341a0479d846c4f0ba
SHA256

291a4eb06358eca87fbc1f133ee162b6c532f4ec3e6f39c2646cde5de60e80f9
SHA512

e9d9a98ab7b25ecb5b7d900728ffd752f3cee705ab772cda079ec48f1fdcd2ac1c6911ad0ac5b6f8e47d9d4a362af875781d444a379ad4abcda5b85ddec21277

Score

10^/10

Family

hancitor

Botnet

0903_7832478324

http://thumbeks.com/4/forum.php

http://cludions.com/4/forum.php

http://othasidka.com/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata: ET MALWARE Tordal/Hancitor/Chanitor Checkin
suricata

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 112 set thread context of 1580	112	rundll32.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid	Process
1580	svchost.exe
1580	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 552 wrote to memory of 112	552	rundll32.exe	18
PID 552 wrote to memory of 112	552	rundll32.exe	18
PID 552 wrote to memory of 112	552	rundll32.exe	18
PID 552 wrote to memory of 112	552	rundll32.exe	18
PID 552 wrote to memory of 112	552	rundll32.exe	18
PID 552 wrote to memory of 112	552	rundll32.exe	18
PID 552 wrote to memory of 112	552	rundll32.exe	18
PID 112 wrote to memory of 1580	112	rundll32.exe	29
PID 112 wrote to memory of 1580	112	rundll32.exe	29
PID 112 wrote to memory of 1580	112	rundll32.exe	29
PID 112 wrote to memory of 1580	112	rundll32.exe	29
PID 112 wrote to memory of 1580	112	rundll32.exe	29
PID 112 wrote to memory of 1580	112	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\291a4eb06358eca87fbc1f133ee162b6c532f4ec3e6f39c2646cde5de60e80f9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\291a4eb06358eca87fbc1f133ee162b6c532f4ec3e6f39c2646cde5de60e80f9.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1580

memory/112-54-0x0000000000000000-mapping.dmp

Download
memory/112-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/112-63-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/112-64-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1580-59-0x0000000000402960-mapping.dmp

Download
memory/1580-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1580-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1580-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1580-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download