hancitor | 52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab

Analysis

max time kernel
163s
max time network
170s
platform
windows7_x64
resource
win7-20220414-en
resource tags

arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system
submitted
17-07-2022 01:16

Target

52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab.dll
Size

159KB
MD5

42b614e784b4794d328158a7476e8c6a
SHA1

ec0f6de8511503b20be76b795b7039c7da8a8122
SHA256

52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab
SHA512

b12af368cd3ab799cc680da9052a2ec824bd6830da39b22c437df18faa3b1ae60d0661d524de65e3ee939664ba902093dbdc762bea28a139936e17615e77f6aa

Score

10^/10

Family

hancitor

Botnet

0912_1237732

http://featicent.com/4/forum.php

http://whysturprom.ru/4/forum.php

http://usseleteria.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1996 set thread context of 2012 1996 rundll32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

2012 svchost.exe
2012 svchost.exe

flow	ioc
3	api.ipify.org

description	pid	process	target process
PID 1996 set thread context of 2012	1996	rundll32.exe	svchost.exe

pid	process
2012	svchost.exe
2012	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1628 wrote to memory of 1996	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 1996	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 1996	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 1996	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 1996	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 1996	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 1996	1628	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 2012	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 2012	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 2012	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 2012	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 2012	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 2012	1996	rundll32.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2012

memory/1996-54-0x0000000000000000-mapping.dmp

Download
memory/1996-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1996-60-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/1996-62-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/1996-64-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2012-59-0x0000000000402960-mapping.dmp

Download
memory/2012-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download