MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Hancitor


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash: 4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557
SHA3-384 hash: cafe5ee12bd72e16822a0d2a5ac39bc25a3b17d4e9ad473e56afb4c132287002e0607a9d74f578f46c32ce85c5d178f2
SHA1 hash: 02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe
MD5 hash: d22d8bb38cf8d6a5ce6d8be4106350e7
humanhash: delta-ack-leopard-one
File name:niberius.dll
Download: download sample
Signature Hancitor
File size:274'432 bytes
First seen:2021-07-09 01:08:35 UTC
Last seen:2021-07-09 01:46:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 7c563cc34a5ec19fda679d5f10cd6773 (1 x FickerStealer, 1 x Hancitor)
ssdeep 3072:c+dVxycTZ+1ohyeQB7qZDZtOet+vWEY+mq2MBcCWBM0NYgJKUFfn+rY+FYs:c+HZ+10yjBOtdt+vW/q2UINHJK5dYs
TLSH T1EA447C103281C833DBB302B54F66EA5A53E974102B2495CB3FD92AEF6F665E35636343
Reporter @malware_traffic
Tags:dll Hancitor MAN1 Moskalvzapoe TA511


Twitter
@malware_traffic
Run method: rundll32.exe [filename],ONOQWPYIEIR

Intelligence


File Origin
# of uploads :
2
# of downloads :
344
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Hancitor
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found malware configuration
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Hancitor
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446231 Sample: niberius.dll Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 6 other signatures 2->58 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        15 rundll32.exe 12 8->15         started        18 4 other processes 8->18 dnsIp5 20 rundll32.exe 12 10->20         started        70 System process connects to network (likely due to code injection or exploit) 12->70 72 May check the online IP address of the machine 12->72 74 Contains functionality to inject threads in other processes 12->74 40 sudepallon.com 15->40 42 nagano-19599.herokussl.com 15->42 48 2 other IPs or domains 15->48 44 23.21.224.49, 49759, 80 AMAZON-AESUS United States 18->44 46 sudepallon.com 18->46 50 3 other IPs or domains 18->50 signatures6 process7 dnsIp8 28 sudepallon.com 77.222.42.67, 49719, 49722, 49724 SWEB-ASRU Russian Federation 20->28 30 srand04rf.ru 8.211.241.0, 49720, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 20->30 32 3 other IPs or domains 20->32 60 System process connects to network (likely due to code injection or exploit) 20->60 24 svchost.exe 16 20->24         started        signatures9 process10 dnsIp11 34 pospvisis.com 95.213.179.67, 49727, 49788, 80 SELECTELRU Russian Federation 24->34 36 nagano-19599.herokussl.com 24->36 38 2 other IPs or domains 24->38 62 System process connects to network (likely due to code injection or exploit) 24->62 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->64 66 May check the online IP address of the machine 24->66 68 3 other signatures 24->68 signatures12
Result
Malware family:
hancitor
Score:
  10/10
Tags:
family:fickerstealer family:hancitor botnet:0707_wvcr downloader infostealer spyware stealer
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Fickerstealer
Hancitor
Malware Config
C2 Extraction:
http://sudepallon.com/8/forum.php
http://anspossthrly.ru/8/forum.php
http://thentabecon.ru/8/forum.php
pospvisis.com:80
Unpacked files
SH256 hash:
73f13c8721906c1ba6abb4a372d1b569a8097e02d8f4285dd1894443054dd51f
MD5 hash:
2758016860bda0e8d2de8d32acc37b33
SHA1 hash:
586357916abfb45384ce3fe2df8249fe4ab32414
Detections:
win_hancitor_auto
SH256 hash:
4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557
MD5 hash:
d22d8bb38cf8d6a5ce6d8be4106350e7
SHA1 hash:
02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:Hancitor
Author:threathive
Description:Hancitor Payload
Rule name:win_hancitor_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.hancitor.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments