Overview

overview

10

Static

static

3

6a3d79f41a...05.dll

windows7-x64

10

6a3d79f41a...05.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a3d79f41ad61de63427c5baff49e005.dll

  • Size

    800KB

  • MD5

    6a3d79f41ad61de63427c5baff49e005

  • SHA1

    02c53f32e73727f140e2fc7de9c9e033e87f109d

  • SHA256

    25b773d34fb3cdaf47d12efe8b83579c6134d612050542d87e529d0ca5191dc3

  • SHA512

    15c0e27f6e80cb34e690959addc47a9a169cc5eabf0251a05cfbeff188f28368582d45bb434c9888f134128b3ec094d3b955b6b47dca73491d9e04a8998c2710

  • SSDEEP

    12288:LV3KhhWj6TCPmLpGGFk7ZioaZUp6I/nS049BV3KhhWj6TCPmLpGGFk7ZioaZUp6n:rj6smL+dAZE6Ignj6smL+dAZE6Ig

Score
10/10
hancitor2508_bqplfdownloader

Malware Config

Extracted

Family

hancitor

Botnet

2508_bqplf

C2

http://intakinger.com/8/forum.php

http://idgentexpliet.ru/8/forum.php

http://declassivan.ru/8/forum.php

Signatures

  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Blocklisted process makes network request 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a3d79f41ad61de63427c5baff49e005.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a3d79f41ad61de63427c5baff49e005.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:4812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4812-0-0x0000000010000000-0x0000000010078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4812-1-0x0000000010000000-0x0000000010078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4812-2-0x0000000001200000-0x0000000001201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4812-3-0x0000000010000000-0x0000000010078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4812-6-0x0000000001200000-0x0000000001201000-memory.dmp

    Filesize

    4KB

    Download