hancitor | 2ae278b49a16340323666bc486a2686491391374365393142e44a25c16b29465 | Triage

Submit
Reports

Overview

overview

Static

static

8

d225efab3c...9b.doc

windows7-x64

4

d225efab3c...9b.doc

windows10-2004-x64

Sharing

General

Target

d225efab3cf8f751c299accb3f114e9b
Size

612KB
Sample

240318-a568haca73
MD5

d225efab3cf8f751c299accb3f114e9b
SHA1

fdabc9901ed3b774b106859f4c5c0c3c1dcf1aef
SHA256

2ae278b49a16340323666bc486a2686491391374365393142e44a25c16b29465
SHA512

c0656fa0af6391c2568efe70b1b9ee0120eace96575f0c04ceea9d77aa94b6941b682257585097cef8fb661bf5944f9ab69792aa413173cb6300d361828bc672
SSDEEP

12288:EV9iQsDr8N5eCz3DFw7m/kdxoF3aHUp6BvNoywaMFsZjjotAd5Rs+:EVXkr8N8Cz6voFqDisSIj

Score

10^/10

hancitor 1808_plfr downloader macro macro_on_action

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

d225efab3cf8f751c299accb3f114e9b.doc

Resource

win7-20240221-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

d225efab3cf8f751c299accb3f114e9b.doc

Resource

win10v2004-20240226-en

hancitor 1808_plfr downloader

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

hancitor

Botnet

1808_plfr

C2

http://madmilons.com/8/forum.php

http://counteent.ru/8/forum.php

http://simatereare.ru/8/forum.php

Targets

- Target
  
  d225efab3cf8f751c299accb3f114e9b
- Size
  
  612KB
- MD5
  
  d225efab3cf8f751c299accb3f114e9b
- SHA1
  
  fdabc9901ed3b774b106859f4c5c0c3c1dcf1aef
- SHA256
  
  2ae278b49a16340323666bc486a2686491391374365393142e44a25c16b29465
- SHA512
  
  c0656fa0af6391c2568efe70b1b9ee0120eace96575f0c04ceea9d77aa94b6941b682257585097cef8fb661bf5944f9ab69792aa413173cb6300d361828bc672
- SSDEEP
  
  12288:EV9iQsDr8N5eCz3DFw7m/kdxoF3aHUp6BvNoywaMFsZjjotAd5Rs+:EVXkr8N8Cz6voFqDisSIj
Score

10^/10

hancitor 1808_plfr downloader
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

hancitor1808_plfrdownloader

© 2018-2024

Terms | Privacy