MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2660efbe253523dcaee2e6fdd7da208e084b4ed8cf7e59906a2e3e83a303d087. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Hancitor

Vendor detections: 11

Maldoc score: 9

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	2660efbe253523dcaee2e6fdd7da208e084b4ed8cf7e59906a2e3e83a303d087
SHA3-384 hash:	e7b69f704ca807fe1a846851cfca01444abf72a297e98607b33c839ef7e226646afafda021d8cae02967151f7366bb30
SHA1 hash:	ec961290c5d629545378dc939e4eaeb02f89212e
MD5 hash:	5edba41a1dd5184586b1251670bf19dc
humanhash:	wisconsin-white-pasta-autumn
File name:	0414_1906406106610.doc
Download:	download sample
Signature	Hancitor Create hunting rule
File size:	875'520 bytes
First seen:	2021-04-14 18:29:49 UTC
Last seen:	2021-04-14 20:06:31 UTC
File type:	doc
MIME type:	application/msword
ssdeep	12288:FB+j1ZLrnGtiI4hLrZxl3In4RjkzlEhiG2BL6+QQCth8ZexU762JcBS5xOWArL:FKEiZxl3A4yJJG2dPQQCthWu2G05xO
TLSH	721501017592D933D51705394EBACBFA2B79BC72AD248A4737C53B1F6E313A0DA21386
Reporter	TeamDreier
Tags:	Hancitor

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 9

Application name is Microsoft Office Word

Office document is in OLE format

Office document contains VBA Macros

OLE dump

MalwareBazaar was able to identify 31 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	320 bytes	DocumentSummaryInformation
3	412 bytes	SummaryInformation
4	14076 bytes	1Table
5	566189 bytes	Data
6	638 bytes	Macros/PROJECT
7	185 bytes	Macros/PROJECTwm
8	4358 bytes	Macros/VBA/Module1
9	3348 bytes	Macros/VBA/Module2
10	1587 bytes	Macros/VBA/Module3
11	3318 bytes	Macros/VBA/Module4
12	1099 bytes	Macros/VBA/Module5
13	1121 bytes	Macros/VBA/Module6
14	4542 bytes	Macros/VBA/ThisDocument
15	4657 bytes	Macros/VBA/_VBA_PROJECT
16	3353 bytes	Macros/VBA/__SRP_0
17	298 bytes	Macros/VBA/__SRP_1
18	1848 bytes	Macros/VBA/__SRP_2
19	206 bytes	Macros/VBA/__SRP_3
20	817 bytes	Macros/VBA/__SRP_4
21	270 bytes	Macros/VBA/__SRP_5
22	506 bytes	Macros/VBA/__SRP_6
23	284 bytes	Macros/VBA/__SRP_7
24	420 bytes	Macros/VBA/__SRP_8
25	156 bytes	Macros/VBA/__SRP_9
26	780 bytes	Macros/VBA/dir
27	76 bytes	ObjectPool/_1679874716/CompObj
28	235344 bytes	ObjectPool/_1679874716/Ole10Native
29	5000 bytes	ObjectPool/_1679874716/EPRINT
30	6 bytes	ObjectPool/_1679874716/ObjInfo
31	4096 bytes	WordDocument

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Document_Open	Runs when the Word or Publisher document is opened
IOC	edge.dll	Executable file name
Suspicious	Shell	May run an executable file or a system command
Suspicious	WScript.Shell	May run an executable file or a system command
Suspicious	Run	May run an executable file or a system command
Suspicious	CreateObject	May create an OLE object

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0414_1906406106610.doc

Verdict:

Malicious activity

Analysis date:

2021-04-14 18:32:29 UTC

Tags:

macros ole-embedded macros-on-open generated-doc maldoc-57 evasion trojan hancitor

Link:

https://app.any.run/tasks/2ebe3767-4afa-459d-aa6a-03205c4fe673

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/msword

Has a screenshot:

False

Contains macros:

True

Detection(s):

TwinWave.EvilDoc.HanciSoFancy.20210302.UNOFFICIAL

TwinWave.EvilDoc.DOCXSTRGOOD..DLL.200225.UNOFFICIAL

TwinWave.EvilDoc.HancySoFancy.20210406.UNOFFICIAL

Sanesecurity.Badmacro.Doc.Em32.UNOFFICIAL

Sanesecurity.Badmacro.Doc.blankopen.UNOFFICIAL

MiscreantPunch.EXEInsideOfDoc.2.UNOFFICIAL

MiscreantPunch.EXEInsideOfDoc.1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Enabling autorun by creating a file

Launching a process by exploiting the app vulnerability

Result

Verdict:

Malicious

File Type:

Legacy Word File with Macro

Link:

https://app.docguard.net/2660efbe253523dcaee2e6fdd7da208e084b4ed8cf7e59906a2e3e83a303d087/results/dashboard

Payload URLs

URL

File name

PROJECT.MODULE4.CVBC

1Table

Document image

Image:

Download PNG

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/2660efbe253523dcaee2e6fdd7da208e084b4ed8cf7e59906a2e3e83a303d087

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

Document With Few Pages

Document contains between one and three pages of content. Most malicious documents are sparse in page count.

Macro Execution Coercion

Detected a document that appears to social engineer the user into activating embedded logic.

Macro Contains Suspicious String

Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/676232

Signature

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains OLE streams with PE executables

Document exploit detected (drops PE files)

Document exploit detected (process start blacklist hit)

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Office process drops PE file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2660efbe253523dcaee2e6fdd7da208e084b4ed8cf7e59906a2e3e83a303d087/

Threat name:

Script-Macro.Dropper.Hancitor

Status:

Malicious

First seen:

2021-04-14 18:30:19 UTC

AV detection:

9 of 47 (19.15%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ezqo7prfgur5zlxc4365pwraryeewtwyz57ftedkfy7ihiyd2cdq._file

Result

Malware family:

hancitor

Score:

10/10

Tags:

family:hancitor downloader macro macro_on_action

Link:

https://tria.ge/reports/210414-hmfcg569g2/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Looks up external IP address via web service

Loads dropped DLL

Blocklisted process makes network request

Hancitor

Process spawned unexpected child process

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2660efbe253523dcaee2e6fdd7da208e084b4ed8cf7e59906a2e3e83a303d087

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Hancitor Create hunting rule
Author:	threathive
Description:	Hancitor Payload

Rule name:	hancitor_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	INDICATOR_OLE_ObjectPool_Embedded_Files Create hunting rule
Author:	ditekSHen
Description:	Detects OLE documents with ObjectPool OLE storage and embed suspicous excutable files

Rule name:	win_hancitor_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample