hancitor | 42eae0d7813c39340ec3eac60f578d04aa9c4f351d8552e1cb850382ca2746ac | Triage

Submit
Reports

Overview

overview

Static

static

1

WIS_868087...51.vbs

windows7-x64

WIS_868087...51.vbs

windows10-2004-x64

Sharing

General

Target

cdf860fac90b5f7e5220fc33c0963da9_JaffaCakes118
Size

175KB
Sample

240901-b3xfysxhlh
MD5

cdf860fac90b5f7e5220fc33c0963da9
SHA1

118efe5ecc17ce26816676561a38af07991f6ae8
SHA256

42eae0d7813c39340ec3eac60f578d04aa9c4f351d8552e1cb850382ca2746ac
SHA512

65a498c4dc3bda91f05938c48cba65dee5f52ed06c1bba98feeafa1e14c8cf394a3483bdbc8ab93ff7446f56c9a3bb194ee340bc4ab2eade8fe81f487fc3139f
SSDEEP

3072:p9tf/WTiFG5FtltsvzqouwhjAxzfig63CLduc+2R9uz8L91oYfOOu+:Ptfeo89toqoRhj+figKCLdM2R9hLjOx+

Score

10^/10

hancitor 0212_4377843 discovery downloader

Static task

static1

Behavioral task

behavioral1

Sample

WIS_868087283709651.vbs

Resource

win7-20240708-en

hancitor 0212_4377843 discovery downloader

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

WIS_868087283709651.vbs

Resource

win10v2004-20240802-en

hancitor 0212_4377843 discovery downloader

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

hancitor

Botnet

0212_4377843

C2

http://laticivue.com/4/forum.php

http://isintilexts.ru/4/forum.php

http://sailitisk.ru/4/forum.php

Targets

- Target
  
  WIS_868087283709651.vbs
- Size
  
  726KB
- MD5
  
  a21cda7e8d89d17b1bbc3c27035b132c
- SHA1
  
  357ab07a728aa6e1cadae86f47ac0ebefda296bf
- SHA256
  
  ec12eb1046c20c246ac6add559a64b52485d251e300c1d2dd4503de8a08c73d5
- SHA512
  
  bf02164fc72977f509771b92c41706e3fb1c357c3245b7cc2aeb15ad2492320a5f834f8fc1bb8531e799fa078c8cf973373916d89478a8c8d0ba4af8abce5d72
- SSDEEP
  
  12288:GMrUPl85od7HaQBUKqzoSv0DyZ1IfNKOngDi/4ogf3bQkrkT8W1B7jcCBLwnoppi:GaUPlTlUKqzoSvUo0gO2LbkTxpHLfHKH
Score

10^/10

hancitor 0212_4377843 discovery downloader
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hancitor0212_4377843discoverydownloader

behavioral2

hancitor0212_4377843discoverydownloader

© 2018-2024

Terms | Privacy