hancitor | 52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab

Analysis

max time kernel
156s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2022 01:16

Target

52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab.dll
Size

159KB
MD5

42b614e784b4794d328158a7476e8c6a
SHA1

ec0f6de8511503b20be76b795b7039c7da8a8122
SHA256

52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab
SHA512

b12af368cd3ab799cc680da9052a2ec824bd6830da39b22c437df18faa3b1ae60d0661d524de65e3ee939664ba902093dbdc762bea28a139936e17615e77f6aa

Score

10^/10

Family

hancitor

Botnet

0912_1237732

http://featicent.com/4/forum.php

http://whysturprom.ru/4/forum.php

http://usseleteria.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1760 set thread context of 3216 1760 rundll32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

3216 svchost.exe
3216 svchost.exe

flow	ioc
18	api.ipify.org

description	pid	process	target process
PID 1760 set thread context of 3216	1760	rundll32.exe	svchost.exe

pid	process
3216	svchost.exe
3216	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2456 wrote to memory of 1760	2456	rundll32.exe	rundll32.exe
PID 2456 wrote to memory of 1760	2456	rundll32.exe	rundll32.exe
PID 2456 wrote to memory of 1760	2456	rundll32.exe	rundll32.exe
PID 1760 wrote to memory of 3216	1760	rundll32.exe	svchost.exe
PID 1760 wrote to memory of 3216	1760	rundll32.exe	svchost.exe
PID 1760 wrote to memory of 3216	1760	rundll32.exe	svchost.exe
PID 1760 wrote to memory of 3216	1760	rundll32.exe	svchost.exe
PID 1760 wrote to memory of 3216	1760	rundll32.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\52fd49a35294a4de460bb34687c7423528ebe5e6016cf4a5889828d2ba9a26ab.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3216

memory/1760-130-0x0000000000000000-mapping.dmp

Download
memory/1760-131-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/1760-136-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/1760-138-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/3216-132-0x0000000000000000-mapping.dmp

Download
memory/3216-133-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/3216-135-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/3216-137-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download