hancitor | 067d89c1270799d20eecb3b91e644a634adacb154cf2a1c186c0f58b74090f43

Analysis

Target

067d89c1270799d20eecb3b91e644a634adacb154cf2a1c186c0f58b74090f43.dll
Size

274KB
MD5

e9143086453d552f0780426acb0af541
SHA1

740d5931036fe041e77a79b204969c2e0fe059ea
SHA256

067d89c1270799d20eecb3b91e644a634adacb154cf2a1c186c0f58b74090f43
SHA512

bc497bc12b08c90ae824b09704901d90c4cf66c355a6d384c2d69d16ef9e7a36ab97c968076056e58b5771f6182d82f52e77a86d62ccc9b1086bfd2ca54fc7bc

Score

10^/10

Family

hancitor

Botnet

0210_328487

http://spausence.com/4/forum.php

http://wortionce.ru/4/forum.php

http://knoweent.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4660 set thread context of 4744	4660	rundll32.exe	80

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4660	4416	rundll32.exe	79
PID 4416 wrote to memory of 4660	4416	rundll32.exe	79
PID 4416 wrote to memory of 4660	4416	rundll32.exe	79
PID 4660 wrote to memory of 4744	4660	rundll32.exe	80
PID 4660 wrote to memory of 4744	4660	rundll32.exe	80
PID 4660 wrote to memory of 4744	4660	rundll32.exe	80
PID 4660 wrote to memory of 4744	4660	rundll32.exe	80
PID 4660 wrote to memory of 4744	4660	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\067d89c1270799d20eecb3b91e644a634adacb154cf2a1c186c0f58b74090f43.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\067d89c1270799d20eecb3b91e644a634adacb154cf2a1c186c0f58b74090f43.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4744

memory/4660-131-0x0000000002260000-0x0000000002292000-memory.dmp

Filesize
200KB

Download
memory/4660-132-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/4660-137-0x0000000002260000-0x0000000002292000-memory.dmp

Filesize
200KB

Download
memory/4660-138-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/4744-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4744-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4744-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4744-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download