hancitor | 27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8

Analysis

max time kernel
95s
max time network
115s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 16:17

Target

27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8.dll
Size

389KB
MD5

aa57bf47faa19fd0de5cdfd103a41e7d
SHA1

5a70c151a194f6e47147f6eca903b5940772c818
SHA256

27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8
SHA512

6a67972fed76e52e0326d97d6fce6f113d4c57eb99f6b493ffdb054fe012037c9ea8966662104b0ec0ea7f771a39f442ba6802cc1dd14867de1c76d71d888da5
SSDEEP

12288:V17lp2D7gWtUSvuWZJ634myr2H/BRGbmaROV:VVSsE638risLR

Score

10^/10

Family

hancitor

Botnet

2502_ser3402

http://speritentz.com/8/forum.php

http://afternearde.ru/8/forum.php

http://counivicop.ru/8/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

5 916 rundll32.exe
8 916 rundll32.exe
10 916 rundll32.exe
12 916 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

916 rundll32.exe

flow	ioc
4	api.ipify.org

pid	process
916	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 840 wrote to memory of 916	840	rundll32.exe	rundll32.exe
PID 840 wrote to memory of 916	840	rundll32.exe	rundll32.exe
PID 840 wrote to memory of 916	840	rundll32.exe	rundll32.exe
PID 840 wrote to memory of 916	840	rundll32.exe	rundll32.exe
PID 840 wrote to memory of 916	840	rundll32.exe	rundll32.exe
PID 840 wrote to memory of 916	840	rundll32.exe	rundll32.exe
PID 840 wrote to memory of 916	840	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:916

memory/916-54-0x0000000000000000-mapping.dmp

Download
memory/916-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/916-56-0x0000000074E20000-0x0000000074E2A000-memory.dmp

Filesize
40KB

Download
memory/916-57-0x0000000074E20000-0x0000000074ED0000-memory.dmp

Filesize
704KB

Download