hancitor | 5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df | Triage

Sharing

General

Target

5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df
Size

146KB
Sample

220801-ss7mlsahb7
MD5

2789d8ecc091ca006e426a9db9361d7d
SHA1

9c33b1d66a6000119348cf61fa774d7769449456
SHA256

5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df
SHA512

a782b451ff592be6cb78af5dafbdb41d172e5f1422a5b63943dd03782d8c31c746429ddfaa61b54460effc0a14d544fae72ebb35734afa69c71634310046ff4b

Score

10^/10

hancitor 1012_3278324 downloader

Malware Config

Extracted

Family

hancitor

Botnet

1012_3278324

C2

http://lappoing.com/4/forum.php

http://theirchus.ru/4/forum.php

http://andalicur.ru/4/forum.php

Targets

- Target
  
  5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df
- Size
  
  146KB
- MD5
  
  2789d8ecc091ca006e426a9db9361d7d
- SHA1
  
  9c33b1d66a6000119348cf61fa774d7769449456
- SHA256
  
  5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df
- SHA512
  
  a782b451ff592be6cb78af5dafbdb41d172e5f1422a5b63943dd03782d8c31c746429ddfaa61b54460effc0a14d544fae72ebb35734afa69c71634310046ff4b
Score

10^/10

hancitor 1012_3278324 downloader
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

hancitor1012_3278324downloader

behavioral2

hancitor1012_3278324downloader