General

  • Target

    42eae0d7813c39340ec3eac60f578d04aa9c4f351d8552e1cb850382ca2746ac

  • Size

    175KB

  • Sample

    220708-azftcsafhn

  • MD5

    cdf860fac90b5f7e5220fc33c0963da9

  • SHA1

    118efe5ecc17ce26816676561a38af07991f6ae8

  • SHA256

    42eae0d7813c39340ec3eac60f578d04aa9c4f351d8552e1cb850382ca2746ac

  • SHA512

    65a498c4dc3bda91f05938c48cba65dee5f52ed06c1bba98feeafa1e14c8cf394a3483bdbc8ab93ff7446f56c9a3bb194ee340bc4ab2eade8fe81f487fc3139f

Malware Config

Extracted

Family

hancitor

Botnet

0212_4377843

C2

http://laticivue.com/4/forum.php

http://isintilexts.ru/4/forum.php

http://sailitisk.ru/4/forum.php

Targets

    • Target

      WIS_868087283709651.vbs

    • Size

      726KB

    • MD5

      a21cda7e8d89d17b1bbc3c27035b132c

    • SHA1

      357ab07a728aa6e1cadae86f47ac0ebefda296bf

    • SHA256

      ec12eb1046c20c246ac6add559a64b52485d251e300c1d2dd4503de8a08c73d5

    • SHA512

      bf02164fc72977f509771b92c41706e3fb1c357c3245b7cc2aeb15ad2492320a5f834f8fc1bb8531e799fa078c8cf973373916d89478a8c8d0ba4af8abce5d72

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks