General

  • Target

    aee66bf0b352470d89afce682aa0af5bef651c97981fe20507d36127f2fa5f90

  • Size

    107KB

  • Sample

    221204-smaqpaag98

  • MD5

    9f211449d17d548d18b91d967c258e38

  • SHA1

    c9d2c38e7bab14b0398ec998639ece4676558e4b

  • SHA256

    aee66bf0b352470d89afce682aa0af5bef651c97981fe20507d36127f2fa5f90

  • SHA512

    7e48ef94f3985b2390f33d0ebf3f935b6a7366ff1b597639cb25fc9b699a314435ecf9f8b14239ce49ab2422ccd92006e3818be213e6b1882fedbd0b8d79461e

  • SSDEEP

    3072:NXkKFn0NnMSiCotQot+GjPixwEEEZgexwdAxft:dkc0liXH+p9ZgPm1

Malware Config

Extracted

Family

hancitor

Botnet

2111_7654345

C2

http://hismosedkaj.com/4/forum.php

http://consenhary.ru/4/forum.php

http://prolighmev.ru/4/forum.php

Targets

    • Target

      WHO_4776889046841393.vbs

    • Size

      909KB

    • MD5

      67d3819f1f32d9a140b3201ae5d310d8

    • SHA1

      545ddac4103a70825c6fef264c08bd34787809bb

    • SHA256

      c03838ce46b55ee5253eb78a82c4f91f9273c833387bc430309bb84cd3a0bc33

    • SHA512

      85d1f5d646c05b47a5425520a9e6628744d8ec17bec6aa8b051449f9f304b07fefe2f4fe9d14bd00aeb04cc6141ea1452c888f9cb94e4ab7b1152c46da64bf8b

    • SSDEEP

      3072:DLG8LSTq0uHLlixTm/p9SKN0YpHp6R+UEpIDr5NAuCLC9kz3xHyLS8Kl0sGfjhgH:jRo5Qc970K/Dqld/2libfKTnYrKJmvJ

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks