hancitor | 9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559

Analysis

Target

9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559.dll
Size

174KB
MD5

756dbecf943dd53febeb85b2ce28663a
SHA1

221fda0aa2748a9ef518ad568e4038ce7a466ecf
SHA256

9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559
SHA512

651a5ad4a7aa001464260ad0bb9ed5504910b5c8917ea85a93860e3d08bf8e922e24f466dd28d7f4e024e4297fa925bb513f47177277ae098ff9ea826b06e991

Score

10^/10

Family

hancitor

Botnet

1811_67213

http://elesengrity.com/4/forum.php

http://lardempotr.ru/4/forum.php

http://dethavare.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 904 set thread context of 992	904	rundll32.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
992	svchost.exe
992	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 904	812	rundll32.exe	27
PID 812 wrote to memory of 904	812	rundll32.exe	27
PID 812 wrote to memory of 904	812	rundll32.exe	27
PID 812 wrote to memory of 904	812	rundll32.exe	27
PID 812 wrote to memory of 904	812	rundll32.exe	27
PID 812 wrote to memory of 904	812	rundll32.exe	27
PID 812 wrote to memory of 904	812	rundll32.exe	27
PID 904 wrote to memory of 992	904	rundll32.exe	28
PID 904 wrote to memory of 992	904	rundll32.exe	28
PID 904 wrote to memory of 992	904	rundll32.exe	28
PID 904 wrote to memory of 992	904	rundll32.exe	28
PID 904 wrote to memory of 992	904	rundll32.exe	28
PID 904 wrote to memory of 992	904	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:992

memory/904-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/904-56-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/904-61-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/904-63-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/904-65-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/992-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/992-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/992-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/992-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/992-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download