hancitor | 9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559

Analysis

Target

9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559.dll
Size

174KB
MD5

756dbecf943dd53febeb85b2ce28663a
SHA1

221fda0aa2748a9ef518ad568e4038ce7a466ecf
SHA256

9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559
SHA512

651a5ad4a7aa001464260ad0bb9ed5504910b5c8917ea85a93860e3d08bf8e922e24f466dd28d7f4e024e4297fa925bb513f47177277ae098ff9ea826b06e991

Score

10^/10

Family

hancitor

Botnet

1811_67213

http://elesengrity.com/4/forum.php

http://lardempotr.ru/4/forum.php

http://dethavare.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 4164	3368	rundll32.exe	80

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 3368	3848	rundll32.exe	79
PID 3848 wrote to memory of 3368	3848	rundll32.exe	79
PID 3848 wrote to memory of 3368	3848	rundll32.exe	79
PID 3368 wrote to memory of 4164	3368	rundll32.exe	80
PID 3368 wrote to memory of 4164	3368	rundll32.exe	80
PID 3368 wrote to memory of 4164	3368	rundll32.exe	80
PID 3368 wrote to memory of 4164	3368	rundll32.exe	80
PID 3368 wrote to memory of 4164	3368	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9059535c4c046e8292e3b7528c624af59886aeea8509f289b2a195b0fc83c559.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4164

memory/3368-131-0x0000000001080000-0x0000000001089000-memory.dmp

Filesize
36KB

Download
memory/3368-136-0x0000000001080000-0x0000000001089000-memory.dmp

Filesize
36KB

Download
memory/3368-137-0x0000000002B30000-0x0000000002B3C000-memory.dmp

Filesize
48KB

Download
memory/4164-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4164-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4164-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4164-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download