hancitor | 61087666bed01cbb77395f6ed60b48f5d45211e42c2eaf2bd51514cb736963a7 | Triage

Submit
Reports

Overview

overview

Static

static

8

download(1).doc

windows7-x64

4

download(1).doc

windows10-2004-x64

Sharing

General

Target

download(1).doc.zip
Size

923KB
Sample

240115-pellfafebp
MD5

0a4563bca606a8e9c8d98dd6affd607f
SHA1

4c605cb156f7cd5c9b498e31e325300a7a0d7979
SHA256

61087666bed01cbb77395f6ed60b48f5d45211e42c2eaf2bd51514cb736963a7
SHA512

70b22319eb2a8e0a6d68cb228dc9e95ff8c38767ada597fce105a0af4905fa227bbe372592f1aa3969f692dab06fd8c32b02bd86937f0d86b7950dd94e7ecf93
SSDEEP

24576:rINvsd3JkqKq5EvMI+GcjXFu1UeRlkFsrnRhem0KYT2dbI:rIN0d3Jk/qWvMFjU1ZR5bRsmhy2dbI

Score

10^/10

hancitor 2405_pin43 downloader macro macro_on_action

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

download(1).doc

Resource

win7-20231215-en

windows7-x64

8 signatures

300 seconds

Behavioral task

behavioral2

Sample

download(1).doc

Resource

win10v2004-20231215-en

hancitor 2405_pin43 downloader

windows10-2004-x64

14 signatures

300 seconds

Malware Config

Extracted

Family

hancitor

Botnet

2405_pin43

C2

http://thowerteigime.com/8/forum.php

http://euvereginumet.ru/8/forum.php

http://rhopulforopme.ru/8/forum.php

Targets

- Target
  
  download(1).doc
- Size
  
  1.3MB
- MD5
  
  14f4c470c207e22c3b0a4efa7b4200e8
- SHA1
  
  21180195396580a9ade32b589490cf3bc94d3b5b
- SHA256
  
  0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec
- SHA512
  
  4adc4275a9105bf94bdce4b9d5821026d99a4adf16579b1b2b23495efbd55cc7bc90a129248a9902c7c75828eac9ac665c8a34c203b428748d9f7b8a80b76823
- SSDEEP
  
  24576:nEIjrPUaphvGvGUZ93/semhXp7AsWIKHaY8k5faaboEy6r8zz1:n/jhvGvGU93097AFIKbv0WY/1
Score

10^/10

hancitor 2405_pin43 downloader
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

hancitor2405_pin43downloader

© 2018-2024

Terms | Privacy