Analysis

  • max time kernel
    144s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 17:42

General

  • Target

    5e42ff5404aa8632852afeab9a95187be2bc8a44c37766efa2643b8f3a0bf929.exe

  • Size

    96KB

  • MD5

    ce7568e54dad53a245b51ed5cb375c7f

  • SHA1

    74a1d9948fa28b4d24a332a0eb4d2a4709fdd6aa

  • SHA256

    5e42ff5404aa8632852afeab9a95187be2bc8a44c37766efa2643b8f3a0bf929

  • SHA512

    876792c021c2c886f3a7fd02f0616e3c65736ecac3eb47da4cf18ca42404f0f0f34632c9e6184ebf65c4b78906fbf3772bdddf2f6e7486517e7e817a944302db

  • SSDEEP

    1536:JaIrL2TjvdiNB4KnrtJFNKl1fFhSwGOuyrJ9MkOzqlYw2AvN6:JaIrEvdirLmxFhThuyrJyqic

Malware Config

Extracted

Family

hancitor

Botnet

0304_87345

C2

http://waorveled.com/4/forum.php

http://hegutceper.ru/4/forum.php

http://dintroprula.ru/4/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e42ff5404aa8632852afeab9a95187be2bc8a44c37766efa2643b8f3a0bf929.exe
    "C:\Users\Admin\AppData\Local\Temp\5e42ff5404aa8632852afeab9a95187be2bc8a44c37766efa2643b8f3a0bf929.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/808-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

    Filesize

    8KB

  • memory/808-55-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/808-56-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB