hancitor | c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b

Analysis

max time kernel
50s
max time network
145s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 05:37

Target

c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b.dll
Size

138KB
MD5

ea193f350cbcdd48d5bd55e7ea934838
SHA1

b22ca46d1da866f4675916580cf2e8cb690f984b
SHA256

c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b
SHA512

b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65

Score

10^/10

Family

hancitor

Botnet

1912_372823

http://howeelyzuq.com/4/forum.php

http://thriondery.ru/4/forum.php

http://craledlopj.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1804 set thread context of 1324 1804 rundll32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

1324 svchost.exe

flow	ioc
3	api.ipify.org

description	pid	process	target process
PID 1804 set thread context of 1324	1804	rundll32.exe	svchost.exe

pid	process
1324	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1980 wrote to memory of 1804	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1804	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1804	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1804	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1804	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1804	1980	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1804	1980	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 1324	1804	rundll32.exe	svchost.exe
PID 1804 wrote to memory of 1324	1804	rundll32.exe	svchost.exe
PID 1804 wrote to memory of 1324	1804	rundll32.exe	svchost.exe
PID 1804 wrote to memory of 1324	1804	rundll32.exe	svchost.exe
PID 1804 wrote to memory of 1324	1804	rundll32.exe	svchost.exe
PID 1804 wrote to memory of 1324	1804	rundll32.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324

memory/1324-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-60-0x0000000000402960-mapping.dmp

Download
memory/1324-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1324-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1804-54-0x0000000000000000-mapping.dmp

Download
memory/1804-55-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/1804-56-0x00000000000B0000-0x00000000000B9000-memory.dmp

Filesize
36KB

Download
memory/1804-63-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/1804-62-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/1804-64-0x00000000000B0000-0x00000000000B9000-memory.dmp

Filesize
36KB

Download