MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2980c5b5f9a53545f3006bc492f014bde34855924a1bc619e58d7c5804143551. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hancitor


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2980c5b5f9a53545f3006bc492f014bde34855924a1bc619e58d7c5804143551
SHA3-384 hash: a0d13f733f60c3936df4b9c0737aeef44affbbff78279d34789184745e829581385fc8e9214fcc39ff82ca9bd01e0ecf
SHA1 hash: eb5d38c4b5863800ca4405101777b603198f3cb8
MD5 hash: 865635d3b53542c29ac72ec8a9b6c142
humanhash: william-nebraska-twelve-east
File name:W0rd.dll
Download: download sample
Signature Hancitor
Create hunting rule
File size:237'568 bytes
First seen:2020-11-30 17:40:24 UTC
Last seen:2020-11-30 19:59:58 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 7d9fb5391fa65e89e0b9665b9586de43 (2 x Hancitor)
ssdeep 3072:Z7Cc1s4VR2MVQqkIOfKtC7pEwaFOoDgH0rafWTxPOL+jejC5zrp0d:Yc1VRhQjIRg7pEdBDKGvxPOmxzd
Threatray 26 similar samples on MalwareBazaar
TLSH C734AE1176B8C032FE971639047BC2618A7E7A604B78CED7A3ED1A692F137E1653434A
Reporter ffforward
Tags:dll Hancitor

Intelligence

File Origin
# of uploads :
2
# of downloads :
478
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106078/
Detection(s):
SecuriteInfo.com.ML.PE-A.16194.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/551205
Signature
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324719 Sample: W0rd.dll Startdate: 30/11/2020 Architecture: WINDOWS Score: 52 15 Multi AV Scanner detection for submitted file 2->15 6 loaddll32.exe 1 2->6         started        process3 process4 8 rundll32.exe 6->8         started        11 rundll32.exe 6->11         started        13 rundll32.exe 6->13         started        signatures5 17 Found potential dummy code loops (likely to delay analysis) 8->17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2980c5b5f9a53545f3006bc492f014bde34855924a1bc619e58d7c5804143551/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 17:41:05 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
33d4b93f27fa6d5f68443a35b0640269b3f6a1cfd8e0015361e462bc369b0133
Hancitor
3517067834c67dfe59fc941b96ef30a24c946cf9d03e0ba3ef641a5031674b54
Hancitor
54a1ff16fd63ead406eec7b18303d4998ff43c078dc8c4257d6ba593a3e3b24d
Hancitor
56e6ed39784fcc4c9b1898a672c06c83b7a3b8ffbbdf90223e52e4865fa183bc
Hancitor
57120da92792471020573332d1ff30fadf4496f77e2652229c6dca7fc8685ae3
Hancitor
5caa0ee90d4a5013d79a5d6f8c9d5ff921a1fd5cb2ce2a659527ef6573040ef4
Hancitor
65c58463eaf930808c036d35954159c0631961dfcc3abaac19b5ca9d6aabf2b3
Hancitor
687f7bba20b525b3e93a52ecf1d816e34521a476197616a6b1b2dd3a6c5990c3
Hancitor
8e58233566c9227207f1045843d90703dda7c509a2d4b39212916a84930a2e63
Hancitor
9a25a087142a27b94b10f71bbd87bccaae81535b28563c0ceb3a2ac17814373e
Hancitor
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201130-fx7xmjn4tj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Blacklisted process makes network request
Unpacked files
SH256 hash:
4dd21c47b86162fd1ac7908718cd681c9a70ff3c94f41b844bd1ffaa83ebf7da
MD5 hash:
957574dc66a5dd898d85f36f435cbf2b
SHA1 hash:
faa4c44122f26b5ac305bac944d67215b5b223d9
Detections:
win_hancitor_auto
Create hunting rule
Link:
https://www.unpac.me/results/401d2dec-b873-413e-bbdf-9eb978be3053/
SH256 hash:
2980c5b5f9a53545f3006bc492f014bde34855924a1bc619e58d7c5804143551
MD5 hash:
865635d3b53542c29ac72ec8a9b6c142
SHA1 hash:
eb5d38c4b5863800ca4405101777b603198f3cb8
Link:
https://www.unpac.me/results/401d2dec-b873-413e-bbdf-9eb978be3053/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2980c5b5f9a53545f3006bc492f014bde34855924a1bc619e58d7c5804143551

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor
Create hunting rule
Author:J from THL <j@techhelplist.com>
Description:Memory string yara for Hancitor
Rule name:win_hancitor_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Hancitor

Word file doc 687f7bba20b525b3e93a52ecf1d816e34521a476197616a6b1b2dd3a6c5990c3

Hancitor

DLL dll 2980c5b5f9a53545f3006bc492f014bde34855924a1bc619e58d7c5804143551

(this sample)

  
Dropped by
SHA256 687f7bba20b525b3e93a52ecf1d816e34521a476197616a6b1b2dd3a6c5990c3
Cape
Cape
https://www.capesandbox.com/analysis/106078/

Comments