hancitor | 5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
01-08-2022 15:24

Target

5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll
Size

146KB
MD5

2789d8ecc091ca006e426a9db9361d7d
SHA1

9c33b1d66a6000119348cf61fa774d7769449456
SHA256

5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df
SHA512

a782b451ff592be6cb78af5dafbdb41d172e5f1422a5b63943dd03782d8c31c746429ddfaa61b54460effc0a14d544fae72ebb35734afa69c71634310046ff4b

Score

10^/10

Family

hancitor

Botnet

1012_3278324

http://lappoing.com/4/forum.php

http://theirchus.ru/4/forum.php

http://andalicur.ru/4/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2044 set thread context of 1380 2044 rundll32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

1380 svchost.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 2044 set thread context of 1380	2044	rundll32.exe	svchost.exe

pid	process
1380	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 820 wrote to memory of 2044	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 2044	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 2044	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 2044	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 2044	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 2044	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 2044	820	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 1380	2044	rundll32.exe	svchost.exe
PID 2044 wrote to memory of 1380	2044	rundll32.exe	svchost.exe
PID 2044 wrote to memory of 1380	2044	rundll32.exe	svchost.exe
PID 2044 wrote to memory of 1380	2044	rundll32.exe	svchost.exe
PID 2044 wrote to memory of 1380	2044	rundll32.exe	svchost.exe
PID 2044 wrote to memory of 1380	2044	rundll32.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c30867e49e1350f29abaf39bfc847aa7fed196c250b82125f71b7e0e06211df.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380

memory/1380-62-0x0000000000402960-mapping.dmp

Download
memory/1380-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1380-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1380-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1380-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1380-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2044-55-0x0000000075CB1000-0x0000000075CB3000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/2044-59-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/2044-60-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/2044-54-0x0000000000000000-mapping.dmp

Download
memory/2044-65-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/2044-63-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download