MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Hancitor


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments

SHA256 hash: 3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6
SHA3-384 hash: 581c8cbed502397578ec78ce3d6f5432f64b1b220287f10e14425935f2f1e03e856abad4865a541f5fb3325533e8a04b
SHA1 hash: 63b70725c3298d5fa17277ec64c77a4b6fbcf697
MD5 hash: ed1921467f6784af6bdca40a06a541b5
humanhash: princess-high-saturn-low
File name:08.jpg.exe
Download: download sample
Signature Hancitor
File size:763'392 bytes
First seen:2021-07-08 14:35:28 UTC
Last seen:2021-07-08 15:40:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a2e77913b081a443f9195818466685a (1 x Hancitor)
ssdeep 12288:4AbvaOTfFGikmS6jd2QML8HXWp8KEwbHBkm9jjgbFHLViv0dC2x0uTadTaUk7u:vbvJfFGikmS0pXfw7Bkm9j088PlTaDj
TLSH T10DF47DF333A5C0F2D671263068138EA7075DF8AC19ED674B1BED993ACE2127375A1162
Reporter @James_inthe_box
Tags:exe Hancitor

Intelligence


File Origin
# of uploads :
2
# of downloads :
309
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://srand04rf.ru/08.jpg
Verdict:
Malicious activity
Analysis date:
2021-07-08 14:52:32 UTC
Tags:
loader evasion trojan hancitor

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Hancitor
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Hancitor
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Emotet
Status:
Malicious
First seen:
2021-07-08 14:34:57 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Result
Malware family:
hancitor
Score:
  10/10
Tags:
family:hancitor botnet:0707in2_wvcr downloader
Behaviour
Suspicious behavior: EnumeratesProcesses
Looks up external IP address via web service
Hancitor
Malware Config
C2 Extraction:
http://sudepallon.com/8/forum.php
http://anspossthrly.ru/8/forum.php
http://thentabecon.ru/8/forum.php
Unpacked files
SH256 hash:
909307c83d431fb339548039dfbbc1c91472c4565f56d66fe419e23f271c6ac5
MD5 hash:
69f1fc24e416226960abe2d81af7b2b2
SHA1 hash:
cd0a535b75d6dda19215c9629bf537ed17f68fff
Detections:
win_hancitor_auto
SH256 hash:
3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6
MD5 hash:
ed1921467f6784af6bdca40a06a541b5
SHA1 hash:
63b70725c3298d5fa17277ec64c77a4b6fbcf697

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments