Overview

overview

10

Static

static

Tracking#5...59.vbs

windows7_x64

10

Tracking#5...59.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2c9fa440d9bce01f99d5d0be146c7c80feb4b02e33cb0d2448398df2cff9d46a

  • Size

    198KB

  • Sample

    220614-1489ksbec8

  • MD5

    c7694f570c028b7f2f81312542cab118

  • SHA1

    e59efaaf65429f42460070dc7c5c8d943d391fca

  • SHA256

    2c9fa440d9bce01f99d5d0be146c7c80feb4b02e33cb0d2448398df2cff9d46a

  • SHA512

    589038ab7a04cb4f7f4dddd57f8813e0cc12022cdbfdaa11907bbec397d14ada2b6b48800d79cf782358cc9cc604f959f2ab13b78f4326a59128813d93e53d4e

Score
10/10
hancitor1912_372823downloader

Malware Config

Extracted

Family

hancitor

Botnet

1912_372823

C2

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Targets

    • Target

      Tracking#5828259108959.vbs

    • Size

      545KB

    • MD5

      97770c143d6f911ad2fb667089f3254b

    • SHA1

      eb2be9136ecad2479b0f8348ce154d48f6c89d25

    • SHA256

      ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a

    • SHA512

      51962e2f84cb1a753268c4ff79a166d754c7d13caaa41d53e1119999a14774721fab4cd9fb05dbf99913db42c9e0b16061685b6945159892ade604821efb734a

    Score
    10/10
    hancitor1912_372823downloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks