hancitor | c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b

Analysis

max time kernel
50s
max time network
145s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 05:37

Target

c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b.dll
Size

138KB
MD5

ea193f350cbcdd48d5bd55e7ea934838
SHA1

b22ca46d1da866f4675916580cf2e8cb690f984b
SHA256

c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b
SHA512

b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65

Score

10^/10

Family

hancitor

Botnet

1912_372823

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 1324	1804	rundll32.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1324	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1804	1980	rundll32.exe	26
PID 1980 wrote to memory of 1804	1980	rundll32.exe	26
PID 1980 wrote to memory of 1804	1980	rundll32.exe	26
PID 1980 wrote to memory of 1804	1980	rundll32.exe	26
PID 1980 wrote to memory of 1804	1980	rundll32.exe	26
PID 1980 wrote to memory of 1804	1980	rundll32.exe	26
PID 1980 wrote to memory of 1804	1980	rundll32.exe	26
PID 1804 wrote to memory of 1324	1804	rundll32.exe	27
PID 1804 wrote to memory of 1324	1804	rundll32.exe	27
PID 1804 wrote to memory of 1324	1804	rundll32.exe	27
PID 1804 wrote to memory of 1324	1804	rundll32.exe	27
PID 1804 wrote to memory of 1324	1804	rundll32.exe	27
PID 1804 wrote to memory of 1324	1804	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1324

memory/1324-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1804-55-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/1804-56-0x00000000000B0000-0x00000000000B9000-memory.dmp

Filesize
36KB

Download
memory/1804-63-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/1804-62-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/1804-64-0x00000000000B0000-0x00000000000B9000-memory.dmp

Filesize
36KB

Download