MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Hancitor


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash: 73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
SHA3-384 hash: 3af60c61690981b3a50c3d38da374f641515ef05f923e3431aebdc23673c28ee4f4fb4412fbe4ecc2869d313f28d1a65
SHA1 hash: f0c230010c7b85544c25879d4daf74479360e1bc
MD5 hash: 41e0318dfdb1c180a375a7efc712649e
humanhash: pennsylvania-finch-nitrogen-lactose
File name:0708_5355150121.xll
Download: download sample
Signature Hancitor
File size:24'488 bytes
First seen:2021-07-08 14:28:49 UTC
Last seen:2021-07-08 15:40:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8fc6d9b5f93578c52ec239ef6c29b5ac (1 x Hancitor)
ssdeep 384:Er7ozcN5pozcU7ZHW7pw0jGWdqFQv6HovAcdKhKAUgLysGpwKNsc8kYN5:ika52naz78+KKd81UgLJc8ks
TLSH T17AB2BEA77B5495B2CE891D3098CE4B6BAD32F3612ED8447642B0C90C4EE97E4363C25F
Reporter @James_inthe_box
Tags:dll Hancitor signed xll

Code Signing Certificate

Organisation:Storeks LLC
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-06-09T00:00:00Z
Valid to:2022-06-09T23:59:59Z
Serial number: 1e5efa53a14599cc82f56f0790e20b17
Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 127b54c50d77a329a145b0a5686e2214d2ed40482c0375d0de278ba4a135dede
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
2
# of downloads :
351
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Hancitor
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Detected unpacking (overwrites its own PE header)
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Found malware configuration
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Yara detected Hancitor
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445958 Sample: 0708_5355150121.xll Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 8 EXCEL.EXE 25 11 2->8         started        process3 dnsIp4 40 srand04rf.ru 8.211.241.0, 49724, 49748, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 8->40 28 C:\Users\Public\res32.hta, HTML 8->28 dropped 12 mshta.exe 19 8->12         started        file5 process6 process7 14 powershell.exe 14 12->14         started        signatures8 56 Drops PE files to the user root directory 14->56 58 Powershell drops PE file 14->58 17 snd32sys.exe 12 14->17         started        21 powershell.exe 15 17 14->21         started        24 conhost.exe 14->24         started        process9 dnsIp10 30 sudepallon.com 77.222.42.67, 49757, 49758, 49759 SWEB-ASRU Russian Federation 17->30 32 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.173.155, 49756, 80 AMAZON-AESUS United States 17->32 38 2 other IPs or domains 17->38 50 Detected unpacking (overwrites its own PE header) 17->50 52 May check the online IP address of the machine 17->52 54 Contains functionality to inject threads in other processes 17->54 34 srand04rf.ru 21->34 36 192.168.2.1 unknown unknown 21->36 26 C:\Users\Public\snd32sys.exe, PE32 21->26 dropped file11 signatures12
Threat name:
Win32.Trojan.Babar
Status:
Malicious
First seen:
2021-07-08 14:29:07 UTC
File Type:
PE (Dll)
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
hancitor
Score:
  10/10
Tags:
family:hancitor botnet:0707in2_wvcr downloader
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Hancitor
Malware Config
C2 Extraction:
http://sudepallon.com/8/forum.php
http://anspossthrly.ru/8/forum.php
http://thentabecon.ru/8/forum.php
Unpacked files
SH256 hash:
73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
MD5 hash:
41e0318dfdb1c180a375a7efc712649e
SHA1 hash:
f0c230010c7b85544c25879d4daf74479360e1bc

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:Email_stealer_bin_mem
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments