MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5caa0ee90d4a5013d79a5d6f8c9d5ff921a1fd5cb2ce2a659527ef6573040ef4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hancitor


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5caa0ee90d4a5013d79a5d6f8c9d5ff921a1fd5cb2ce2a659527ef6573040ef4
SHA3-384 hash: 821eb0d1c3f0e5a7fbd36ab847b6d3a7d6c30a808481e9615ea173ded0f164b5b5cd1830f7ccb2b7130720ba9a841cf2
SHA1 hash: 32f02ff580397b9ecb90169bf5e3e75d918a2b27
MD5 hash: fef942d90365080c1e771cbc80b51273
humanhash: beryllium-six-batman-quebec
File name:ya.wav.dll
Download: download sample
Signature Hancitor
Create hunting rule
File size:237'568 bytes
First seen:2020-11-30 17:24:02 UTC
Last seen:2020-11-30 19:20:54 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 7d9fb5391fa65e89e0b9665b9586de43 (2 x Hancitor)
ssdeep 3072:Z7Cc1s4VR2MVQqkIOfKtC7pEw6FOoDgH0rafWTxPOL+jejC5zrp0d:Yc1VRhQjIRg7pERBDKGvxPOmxzd
Threatray 24 similar samples on MalwareBazaar
TLSH 2234AE1176B8C032FE971639047BC2618A7E7A604B78CED7A3ED1A692F137E1653434A
Reporter James_inthe_box
Tags:dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106077/
Detection(s):
SecuriteInfo.com.generic.ml.29509.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
21 / 100
Link:
https://www.joesandbox.com/analysis/551186
Signature
Found potential dummy code loops (likely to delay analysis)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 324709 Sample: ya.wav.dll Startdate: 30/11/2020 Architecture: WINDOWS Score: 21 5 loaddll32.exe 1 2->5         started        process3 7 rundll32.exe 5->7         started        10 rundll32.exe 5->10         started        12 rundll32.exe 5->12         started        signatures4 14 Found potential dummy code loops (likely to delay analysis) 7->14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5caa0ee90d4a5013d79a5d6f8c9d5ff921a1fd5cb2ce2a659527ef6573040ef4/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 17:23:48 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsva52injjibhv42lvxyzhk77eq2d7k4wlhcuzmve7xwk4yeb32a._file
Verdict:
malicious
Similar samples:
33d4b93f27fa6d5f68443a35b0640269b3f6a1cfd8e0015361e462bc369b0133
Hancitor
3517067834c67dfe59fc941b96ef30a24c946cf9d03e0ba3ef641a5031674b54
Hancitor
54a1ff16fd63ead406eec7b18303d4998ff43c078dc8c4257d6ba593a3e3b24d
Hancitor
560478c5532f341407bed4a90de3f7a53bb36d500691f1f41e7d18a44f354f8a
Hancitor
56e6ed39784fcc4c9b1898a672c06c83b7a3b8ffbbdf90223e52e4865fa183bc
Hancitor
57120da92792471020573332d1ff30fadf4496f77e2652229c6dca7fc8685ae3
Hancitor
65c58463eaf930808c036d35954159c0631961dfcc3abaac19b5ca9d6aabf2b3
Hancitor
827866089f958b9df535168bc3efed843ee0d769cbe015758d90f9199f7b0d25
Hancitor
9a25a087142a27b94b10f71bbd87bccaae81535b28563c0ceb3a2ac17814373e
Hancitor
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95
Hancitor
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201130-9sykmvm16s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Blacklisted process makes network request
Unpacked files
SH256 hash:
f09fae6ce2f97573a3cf0cbc89a46ffa631e2e73a4899928b84db832286444d5
MD5 hash:
61ffae8076fa9abec369e60ad0c3590f
SHA1 hash:
703331c6a66ea417d651f1839c98887b4c1efbb3
Detections:
win_hancitor_auto
Create hunting rule
Link:
https://www.unpac.me/results/ad1e9b5d-678f-4a7c-8fc6-9bd3406c6e73/
SH256 hash:
5caa0ee90d4a5013d79a5d6f8c9d5ff921a1fd5cb2ce2a659527ef6573040ef4
MD5 hash:
fef942d90365080c1e771cbc80b51273
SHA1 hash:
32f02ff580397b9ecb90169bf5e3e75d918a2b27
Link:
https://www.unpac.me/results/ad1e9b5d-678f-4a7c-8fc6-9bd3406c6e73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5caa0ee90d4a5013d79a5d6f8c9d5ff921a1fd5cb2ce2a659527ef6573040ef4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor
Create hunting rule
Author:J from THL <j@techhelplist.com>
Description:Memory string yara for Hancitor
Rule name:win_hancitor_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/106077/

Comments