MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hancitor


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe
SHA3-384 hash: 2bd805cfde30914c04afb6b1eea452639ed529831e2a49f91616ce77aa170a1467fc60c04afcd81894c7ebd15184efe4
SHA1 hash: 95ac8afcf79459b8670dc932b39ac752d0c0ab1d
MD5 hash: a93f9ecb20354d450b0443b63808c5ef
humanhash: xray-eighteen-nitrogen-july
File name:iff.dll
Download: download sample
Signature Hancitor
Create hunting rule
File size:1'981'952 bytes
First seen:2021-11-23 16:00:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fe95842305351d9bdde794356e8202a (1 x Hancitor)
ssdeep 6144:sDoJKIZZTBzAruI23ZzC+qQXl/pTTjQdDs0GV7OWbA00fr649q7JL4iv3J+wI01q:ssJKIzZAruIWzCglle44WbR0W9lq
TLSH T1D3957D5278BF673BCCB6C5B5CC0D2BE77D6D0AA4292C92F7AFE40DF8A8505818450279
Reporter proxylife
Tags:2311 2311nsdir dll exe Hancitor

Intelligence

File Origin
# of uploads :
1
# of downloads :
805
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1123_2339546126972.doc
Verdict:
Malicious activity
Analysis date:
2021-11-23 15:58:37 UTC
Tags:
macros ole-embedded macros-on-open generated-doc encrypted evasion
Link:
https://app.any.run/tasks/1639b019-35bc-4e58-b65f-7fe40119fb46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/619d1042f36138de3f377663/reports/92a33e30-cdc7-4f7c-80c1-6a2cfde0c982/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d9e0249e-211f-4ab2-b551-237ecdd335cb
Result
Threat name:
Hancitor
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/894876
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Hancitor
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe/
Threat name:
Win32.Trojan.Hancitor
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 16:01:16 UTC
File Type:
PE (Dll)
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
hancitor
Create hunting rule
Result
Malware family:
hancitor
Create hunting rule
Score:
  10/10
Tags:
family:hancitor botnet:2311_nsdir downloader
Link:
https://tria.ge/reports/211123-tf8jtaafaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Looks up external IP address via web service
Blocklisted process makes network request
Hancitor
Malware Config
C2 Extraction:
http://templogio.com/9/forum.php
http://johommeract.ru/9/forum.php
http://amesibiquand.ru/9/forum.php
Unpacked files
SH256 hash:
ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0
MD5 hash:
a2dd642315f3cc6b44241c31ec964ea3
SHA1 hash:
6a2426de100f63c884a54ed12013e3094e6fe10b
Detections:
win_hancitor_auto
Create hunting rule
Link:
https://www.unpac.me/results/92f61b8a-6ddd-4f43-854c-ab625d79735f/
Parent samples :
245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe
ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0
SH256 hash:
245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe
MD5 hash:
a93f9ecb20354d450b0443b63808c5ef
SHA1 hash:
95ac8afcf79459b8670dc932b39ac752d0c0ab1d
Link:
https://www.unpac.me/results/92f61b8a-6ddd-4f43-854c-ab625d79735f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208759/

Comments