MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d8cb1204c8357152aec8acbf14092de7edd88189eaa6f9cfb8b9b8dbff001e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hancitor


Vendor detections: 6


Maldoc score: 9


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d8cb1204c8357152aec8acbf14092de7edd88189eaa6f9cfb8b9b8dbff001e8
SHA3-384 hash: ca5aa5ff8c03a08def36305f8ef5da19c9d03339e91c20c32c9b5c5bcb3ef5f199d9b40b75344ed21f550b19b5d5a284
SHA1 hash: 720812694fb50f5e0fffac24b2edaab370539826
MD5 hash: 52fd82d4e234d5f913fd89a000d20171
humanhash: august-lion-white-saturn
File name:1105_748543.doc
Download: download sample
Signature Hancitor
Create hunting rule
File size:375'261 bytes
First seen:2020-11-05 15:34:01 UTC
Last seen:2020-11-06 18:41:43 UTC
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 6144:ARBsC8MAn2ECUuhyWi0Itn2FOfx6HOE0gaCGePXRyr+tk:A4C8MAn2/hyWi0U2O6uE0gXPByytk
TLSH 8A84121BCD195DA3E468C37ABF574D8DFB4A2C0E495670FC92269DC86F8028B1E4784B
Reporter ffforward
Tags:doc Hancitor

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 17 sections in this file using oledump:

Section IDSection sizeSection name
A16 bytesPROJECT
A25 bytesPROJECTwm
A32 bytesVBA/Module1
A45 bytesVBA/ThisDocument
A53 bytesVBA/_VBA_PROJECT
A60 bytesVBA/__SRP_0
A70 bytesVBA/__SRP_1
A88 bytesVBA/__SRP_2
A96 bytesVBA/__SRP_3
A107 bytesVBA/__SRP_4
A110 bytesVBA/__SRP_5
A126 bytesVBA/dir
B16 bytesCompObj
B28 bytesOle10Native
B36 bytesObjInfo
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
IOCrundll32.exeExecutable file name
IOCcalc.dllExecutable file name
SuspiciousShellMay run an executable file or a system command
SuspiciousShellExecuteMay run an executable file or a system command
SuspiciousShell32May run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object

Intelligence

File Origin
# of uploads :
3
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
MiscreantPunch.EXEInsideOfDoc.2.UNOFFICIAL
Create hunting rule

MiscreantPunch.EXEInsideOfDoc.1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Moving a file to the %AppData% subdirectory
Launching a process by exploiting the app vulnerability
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Hancitor
Create hunting rule
Detection:
malicious
Classification:
expl.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521700
Signature
Antivirus detection for URL or domain
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains OLE streams with PE executables
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Microsoft Office program loads Macromedia Flash Player
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Hancitor
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309955 Sample: 1105_748543.doc Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 12 other signatures 2->42 8 WINWORD.EXE 456 50 2->8         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\22.mp4, PE32 8->22 dropped 52 Document exploit detected (process start blacklist hit) 8->52 54 Microsoft Office program loads Macromedia Flash Player 8->54 12 rundll32.exe 8->12         started        signatures5 process6 process7 14 rundll32.exe 9 12->14         started        dnsIp8 30 albilverde.com 193.47.35.27, 80 MIRHOSTINGRU Russian Federation 14->30 32 fabickng.ru 5.187.5.246, 49167, 49173, 80 DE-FIRSTCOLOwwwfirst-colonetDE Spain 14->32 34 4 other IPs or domains 14->34 56 System process connects to network (likely due to code injection or exploit) 14->56 18 svchost.exe 13 14->18         started        signatures9 process10 dnsIp11 24 cussoricti.com 62.76.40.132, 80 CLODO-ASRU Russian Federation 18->24 26 taftahrice.com 5.63.155.126, 49171, 80 AS-REGRU Russian Federation 18->26 28 4 other IPs or domains 18->28 44 System process connects to network (likely due to code injection or exploit) 18->44 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->46 48 Tries to steal Instant Messenger accounts or passwords 18->48 50 2 other signatures 18->50 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d8cb1204c8357152aec8acbf14092de7edd88189eaa6f9cfb8b9b8dbff001e8/
Threat name:
Document-Office.Downloader.Hancitor
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 15:35:00 UTC
AV detection:
26 of 47 (55.32%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=twglcicmqnlrkkxmrlf7cqes3z7n3cayt2vg7hh3rony3p7qahua._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201105-epswzsceh2/
Behaviour
Enumerates system info in registry
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Blacklisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor
Create hunting rule
Author:J from THL <j@techhelplist.com>
Description:Memory string yara for Hancitor
Rule name:win_hancitor_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments