Overview

overview

10

Static

static

Tracking#1...83.vbs

windows7_x64

10

Tracking#1...83.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    161ef8d489aa4af60893cbf531e4760fc25db74b0afa5e3056bb8a52f532824a

  • Size

    215KB

  • Sample

    220609-fg4qcshbh6

  • MD5

    9c2e87eb25206e1fbbba38dd05a3ff7c

  • SHA1

    3d62bc0b14a3b3b9d4cd5d8d1d5a3d90dcb557b5

  • SHA256

    161ef8d489aa4af60893cbf531e4760fc25db74b0afa5e3056bb8a52f532824a

  • SHA512

    9ffa37638d66b118a1e2f0fe04848a343764102f1276a4cb797fd14766ceb70ac1aa2a598fe48d1df9ed60a3e9d2985957a8a760bc2f2e411cc8cec7f6f17b49

Score
10/10
hancitor1912_372823downloader

Malware Config

Extracted

Family

hancitor

Botnet

1912_372823

C2

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Targets

    • Target

      Tracking#1912257252583.vbs

    • Size

      602KB

    • MD5

      02782c8c2739ebc98df5b5bcfb758ead

    • SHA1

      409d28546f0589ba6f8af73c8cbb7328be717aba

    • SHA256

      aa14013aab2ff7beea20c14c710dafde5f4bd79d8e125f63ed38e788c6e4aa18

    • SHA512

      3907e36f23dea3337fee11696066c3f738f2c4587de39374267105c8fc8abeee6ffd761251478bab9d31bbed09d6c8c1495b4d4fb9c2cc782e0e9df542f7db9d

    Score
    10/10
    hancitor1912_372823downloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks