hancitor | 840000[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

840000.dll
Size

28KB
MD5

6787927b005c1705d5b5c20278d4e6c0
SHA1

3454b0aa14a67e3d833f1141b39cc6b8b487a0d4
SHA256

9a6b2a199af672934bc1de34dd9c668bbe5106c3d6e4889cf2c8170ad4f9d2f6
SHA512

9afd534da51317a63b2751b8d31e248cd29d732e3b27c048ac9578bb6a1e3c59a670bb4e593d3ccb2b43379279e9d0968ed3b720aa71753ea20ddb64f7df74bd
SSDEEP

384:Jci7KqJESXvZioqMWFDNslwKYmS1NN6AmU4tbZRB:JF1DvZioEM06AmUSB

Score

10^/10

1101_jh372 hancitor

Malware Config

Extracted

Family

hancitor

Botnet

1101_jh372

http://fruciand.com/8/forum.php

http://forticheire.ru/8/forum.php

http://nentrivend.ru/8/forum.php

Signatures

Hancitor family
hancitor

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
840000.dll

Files

840000.dll
.dll regsvr32 windows:6 windows x86 arch:x86

57265d838ef6737ecad7f941f2f02016

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

wininet

InternetOpenA
HttpSendRequestA
InternetCloseHandle
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
InternetSetOptionA
InternetQueryOptionA
InternetReadFile
InternetConnectA

iphlpapi

GetAdaptersAddresses

netapi32

DsEnumerateDomainTrustsA

ntdll

RtlDecompressBuffer

kernel32

K32GetProcessImageFileNameA
K32EnumProcesses
GetComputerNameA
HeapAlloc
HeapFree
GetProcessHeap
Sleep
lstrcpyA
GetVolumeInformationA
GetVersion
GetWindowsDirectoryA
lstrcatA
lstrlenA
GetEnvironmentVariableA
CreateFileA
WriteFile
GetTempPathA
GetTempFileNameA
CloseHandle
GetLastError
TerminateProcess
CreateThread
CreateRemoteThread
ResumeThread
CreateProcessA
GetProcessId
GetThreadContext
SetThreadContext
OpenProcess
GetSystemInfo
VirtualAlloc
VirtualFree
VirtualAllocEx
WriteProcessMemory
VirtualFreeEx
GetModuleHandleA
GetProcAddress
LoadLibraryA
lstrcmpiA

user32

wsprintfA

advapi32

CryptReleaseContext
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptDecrypt
CryptDestroyKey
CryptDeriveKey
OpenProcessToken
CryptAcquireContextA
LookupAccountSidA
GetTokenInformation

Exports

Exports

DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 492B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

57265d838ef6737ecad7f941f2f02016

Headers

DLL Characteristics

File Characteristics

Imports

wininet

iphlpapi

netapi32

ntdll

kernel32

user32

advapi32

Exports

Exports

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 8KB - Virtual size: 8KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 492B

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 492B