Overview

overview

10

Static

static

ca9ebb765d...5a.vbs

windows7_x64

10

ca9ebb765d...5a.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a

  • Size

    545KB

  • Sample

    220614-148caafdcr

  • MD5

    97770c143d6f911ad2fb667089f3254b

  • SHA1

    eb2be9136ecad2479b0f8348ce154d48f6c89d25

  • SHA256

    ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a

  • SHA512

    51962e2f84cb1a753268c4ff79a166d754c7d13caaa41d53e1119999a14774721fab4cd9fb05dbf99913db42c9e0b16061685b6945159892ade604821efb734a

Score
10/10
hancitor1912_372823downloader

Malware Config

Extracted

Family

hancitor

Botnet

1912_372823

C2

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Targets

    • Target

      ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a

    • Size

      545KB

    • MD5

      97770c143d6f911ad2fb667089f3254b

    • SHA1

      eb2be9136ecad2479b0f8348ce154d48f6c89d25

    • SHA256

      ca9ebb765d73b6379c2c037f86d2823144137a366bf79a4a974063beff45d55a

    • SHA512

      51962e2f84cb1a753268c4ff79a166d754c7d13caaa41d53e1119999a14774721fab4cd9fb05dbf99913db42c9e0b16061685b6945159892ade604821efb734a

    Score
    10/10
    hancitor1912_372823downloader

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks