hancitor | 2a8b737a4752060a308c4312b7c0cf6c05cde5b370906286dea9cdd36f5aa613

Analysis

max time kernel
50s
max time network
16s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 04:01

Target

0524_4109399728218.doc_jax.dll
Size

704KB
MD5

9dc6f214fc82d637de2f68f3c519d339
SHA1

aaa425f7377d405bea59b8adfb65afc0c8869886
SHA256

2a8b737a4752060a308c4312b7c0cf6c05cde5b370906286dea9cdd36f5aa613
SHA512

5cb0a6f3ab48e5127d5c9f638c035dd4b3a97f3eb31334d5bc3eeafc164b31540fea65d6e40abfac8566676c43e954f567dbc2af81a629b4059af7e466d75bef
SSDEEP

12288:uC69N9C/hMHx8kzFfagPtKEp6E72y/N0hwOGt+gBd8x+6vLrD1ag:HKHaY8k5faaboEy6r8zz1

Score

10^/10

Family

hancitor

Botnet

2405_pin43

http://thowerteigime.com/8/forum.php

http://euvereginumet.ru/8/forum.php

http://rhopulforopme.ru/8/forum.php

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2792	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2792	1720	rundll32.exe	28
PID 1720 wrote to memory of 2792	1720	rundll32.exe	28
PID 1720 wrote to memory of 2792	1720	rundll32.exe	28
PID 1720 wrote to memory of 2792	1720	rundll32.exe	28
PID 1720 wrote to memory of 2792	1720	rundll32.exe	28
PID 1720 wrote to memory of 2792	1720	rundll32.exe	28
PID 1720 wrote to memory of 2792	1720	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0524_4109399728218.doc_jax.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0524_4109399728218.doc_jax.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

memory/2792-0-0x00000000007E0000-0x0000000000894000-memory.dmp

Filesize
720KB

Download
memory/2792-2-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2792-1-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2792-4-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2792-3-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/2792-6-0x00000000007E0000-0x0000000000894000-memory.dmp

Filesize
720KB

Download
memory/2792-8-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download