hancitor | 8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51 | Triage

Sharing

General

Target

8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51
Size

592KB
Sample

220604-a99jesgcgn
MD5

393258a792991fdab17305e275e5fd31
SHA1

231f60bdb55fc4597a2e4d53d4a43d66429207d2
SHA256

8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51
SHA512

5d67586c90180f0637379bc7537b180a9083e5a125a9927a7320151a6a8e23a0dffefddccc5712679d1c25c3baddf6e5ac34fa41ff1230484d51c9a7424ae644

Score

10^/10

hancitor 1912_372823 downloader

Malware Config

Extracted

Family

hancitor

Botnet

1912_372823

C2

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Targets

- Target
  
  8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51
- Size
  
  592KB
- MD5
  
  393258a792991fdab17305e275e5fd31
- SHA1
  
  231f60bdb55fc4597a2e4d53d4a43d66429207d2
- SHA256
  
  8bde2931a468cc81994985ec803bda715ea70ef2337defc252f404efc8650a51
- SHA512
  
  5d67586c90180f0637379bc7537b180a9083e5a125a9927a7320151a6a8e23a0dffefddccc5712679d1c25c3baddf6e5ac34fa41ff1230484d51c9a7424ae644
Score

10^/10

hancitor 1912_372823 downloader
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitor1912_372823downloader

behavioral2

hancitor1912_372823downloader