hancitor | aa14013aab2ff7beea20c14c710dafde5f4bd79d8e125f63ed38e788c6e4aa18 | Triage

Sharing

General

Target

aa14013aab2ff7beea20c14c710dafde5f4bd79d8e125f63ed38e788c6e4aa18
Size

602KB
Sample

220609-fg34tshbh5
MD5

02782c8c2739ebc98df5b5bcfb758ead
SHA1

409d28546f0589ba6f8af73c8cbb7328be717aba
SHA256

aa14013aab2ff7beea20c14c710dafde5f4bd79d8e125f63ed38e788c6e4aa18
SHA512

3907e36f23dea3337fee11696066c3f738f2c4587de39374267105c8fc8abeee6ffd761251478bab9d31bbed09d6c8c1495b4d4fb9c2cc782e0e9df542f7db9d

Score

10^/10

hancitor 1912_372823 downloader

Malware Config

Extracted

Family

hancitor

Botnet

1912_372823

C2

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Targets

- Target
  
  aa14013aab2ff7beea20c14c710dafde5f4bd79d8e125f63ed38e788c6e4aa18
- Size
  
  602KB
- MD5
  
  02782c8c2739ebc98df5b5bcfb758ead
- SHA1
  
  409d28546f0589ba6f8af73c8cbb7328be717aba
- SHA256
  
  aa14013aab2ff7beea20c14c710dafde5f4bd79d8e125f63ed38e788c6e4aa18
- SHA512
  
  3907e36f23dea3337fee11696066c3f738f2c4587de39374267105c8fc8abeee6ffd761251478bab9d31bbed09d6c8c1495b4d4fb9c2cc782e0e9df542f7db9d
Score

10^/10

hancitor 1912_372823 downloader
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitor1912_372823downloader

behavioral2

hancitor1912_372823downloader