Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 09:28

General

  • Target

    463714fb98a2d18aaa5b6b29782822b4971034de9ea9da06708974cabcc999aa.exe

  • Size

    96KB

  • MD5

    9a69378f63c39e0f3a148dd3767fa807

  • SHA1

    85fdc5dafe3dbd3943afb07028eb183980a1f410

  • SHA256

    463714fb98a2d18aaa5b6b29782822b4971034de9ea9da06708974cabcc999aa

  • SHA512

    621f8a96096250a8c15f419e34d7645323db2ae535cb12dca1742ac72107e227b55ce1f6b06e02ae3011a21cce3e2d77a84b499c8390ec8f0bb5f488e7f34cb5

Malware Config

Extracted

Family

hancitor

Botnet

01_07_834832

C2

http://totharduron.com/4/forum.php

http://rythettinleft.ru/4/forum.php

http://sebutgurom.ru/4/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\463714fb98a2d18aaa5b6b29782822b4971034de9ea9da06708974cabcc999aa.exe
    "C:\Users\Admin\AppData\Local\Temp\463714fb98a2d18aaa5b6b29782822b4971034de9ea9da06708974cabcc999aa.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1464-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

    Filesize

    8KB

  • memory/1464-55-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/1464-56-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB