General

  • Target

    57b8fd07105b7053c150c5e228607f5eaf896996e0530cf71246ce8cda59f19b

  • Size

    194KB

  • Sample

    220724-y3fjrsfcdk

  • MD5

    6b4979546fe3339c1c929a01bb0f4ca4

  • SHA1

    f0b7636d8df9debfe3fb5d2b44cb040a58d7970b

  • SHA256

    57b8fd07105b7053c150c5e228607f5eaf896996e0530cf71246ce8cda59f19b

  • SHA512

    e8db2a6d25bb432526109914e441e3fbd7eb815f8cc3e3f7c9fc648b487fc9f8fa277297c6ef697142184634ebaddf3304b3577f6deded32363f0c075426c6b7

Malware Config

Extracted

Family

hancitor

Botnet

0312_7834534

C2

http://wintroperly.com/4/forum.php

http://thatimine.ru/4/forum.php

http://lardershe.ru/4/forum.php

Targets

    • Target

      HAV_388323793314316.vbs

    • Size

      823KB

    • MD5

      d1adedc9554d952db4e8277ded9070f1

    • SHA1

      71d96853e7a7ac197cf9930ecae348e91bebcfbf

    • SHA256

      8c077bb379c38ab73289605c3d36a8b23df04fc785754ad03efd1c3cd02c1ed2

    • SHA512

      cfcf1e91357a7e6d73329bc28fb217189b88dde386ee6a1c9d0cf8e9ab79774b4d72b4294b77c430db84d1e6d77126d4823a190b10375a049e834595c4f9c3c3

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks