hancitor | 27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8

Analysis

max time kernel
151s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 16:17

Target

27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8.dll
Size

389KB
MD5

aa57bf47faa19fd0de5cdfd103a41e7d
SHA1

5a70c151a194f6e47147f6eca903b5940772c818
SHA256

27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8
SHA512

6a67972fed76e52e0326d97d6fce6f113d4c57eb99f6b493ffdb054fe012037c9ea8966662104b0ec0ea7f771a39f442ba6802cc1dd14867de1c76d71d888da5
SSDEEP

12288:V17lp2D7gWtUSvuWZJ634myr2H/BRGbmaROV:VVSsE638risLR

Score

10^/10

Family

hancitor

Botnet

2502_ser3402

http://speritentz.com/8/forum.php

http://afternearde.ru/8/forum.php

http://counivicop.ru/8/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow	pid	Process
25	2724	rundll32.exe
31	2724	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
18	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
2724	rundll32.exe
2724	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 752 wrote to memory of 2724	752	rundll32.exe	80
PID 752 wrote to memory of 2724	752	rundll32.exe	80
PID 752 wrote to memory of 2724	752	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\27dcd980511896334e5ac199b42ffb9a2391c2a696652da5bbd2bd7913b7beb8.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2724

memory/2724-132-0x0000000000000000-mapping.dmp

Download
memory/2724-133-0x0000000074910000-0x000000007491A000-memory.dmp

Filesize
40KB

Download
memory/2724-134-0x0000000074910000-0x00000000749C0000-memory.dmp

Filesize
704KB

Download
memory/2724-135-0x0000000074910000-0x00000000749C0000-memory.dmp

Filesize
704KB

Download