hancitor | ca28945917b92e552b7c7bacb6421bce34285f4bab5290ce14637d84ca5621e8 | Triage

Sharing

General

Target

ba5d13d64133ff19ab43207d23f467c3_JaffaCakes118
Size

208KB
Sample

240823-e35zwaxfpr
MD5

ba5d13d64133ff19ab43207d23f467c3
SHA1

449e77998a825d543995e138e10aa665381d97d3
SHA256

ca28945917b92e552b7c7bacb6421bce34285f4bab5290ce14637d84ca5621e8
SHA512

fb33e5ae73a642346d889271fc0fe3f90b5292a6792a4afd00dee7d5a11401bc0af20ce55b3552cac72bb4304929997de627aabdbdcc23b16826da31a052db9f
SSDEEP

6144:rWiT6BtfdcAXdK7Mp4Ik29CesuqVfDcT56BfL:rv6BxdcD7MpBJC/uqVuQp

Score

10^/10

hancitor 1702_pro23 discovery downloader

Malware Config

Extracted

Family

hancitor

Botnet

1702_pro23

C2

http://hatuderefer.com/8/forum.php

http://thavelede.ru/8/forum.php

http://zinsubtal.ru/8/forum.php

Targets

- Target
  
  ba5d13d64133ff19ab43207d23f467c3_JaffaCakes118
- Size
  
  208KB
- MD5
  
  ba5d13d64133ff19ab43207d23f467c3
- SHA1
  
  449e77998a825d543995e138e10aa665381d97d3
- SHA256
  
  ca28945917b92e552b7c7bacb6421bce34285f4bab5290ce14637d84ca5621e8
- SHA512
  
  fb33e5ae73a642346d889271fc0fe3f90b5292a6792a4afd00dee7d5a11401bc0af20ce55b3552cac72bb4304929997de627aabdbdcc23b16826da31a052db9f
- SSDEEP
  
  6144:rWiT6BtfdcAXdK7Mp4Ik29CesuqVfDcT56BfL:rv6BxdcD7MpBJC/uqVuQp
Score

10^/10

hancitor discovery downloader 1702_pro23
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitordiscoverydownloader

behavioral2

hancitor1702_pro23discoverydownloader