MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Hancitor


Vendor detections: 10


Maldoc score: 9


Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash: b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699
SHA3-384 hash: 9eb0e5bfe8e6a5393f5c2b4f3c7aa3ff3ac9597516f394857e7a8756f4afed09b688acd6a65aad31ce6b5aacebf59438
SHA1 hash: 866086438592043aebb88f3da34ad437681a5cb0
MD5 hash: 992338b40b38f1f55bd4a9599f70771c
humanhash: floor-eighteen-illinois-sierra
File name:0708_3355614568218.doc
Download: download sample
Signature Hancitor
File size:898'048 bytes
First seen:2021-07-09 01:05:55 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 12288:+BGIYW4wA74FRrUSJUnKERsY10hYBzSF6G8MHZf5th8NS+LBb+HZy3ykWy2UIHkJ:+EIZ4wA74D4SQKxZcy8gthDWa5dynIM
TLSH T1E615E1003681C836DA6702790FB6EB9523BC7C215B14CACB3B99779E6F765E25931383
Reporter @malware_traffic
Tags:doc Hancitor macros MAN1 Moskalvzapoe TA511

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump
Sections: 24

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2280 bytesDocumentSummaryInformation
3424 bytesSummaryInformation
48450 bytes1Table
5566599 bytesData
6515 bytesMacros/PROJECT
7113 bytesMacros/PROJECTwm
82819 bytesMacros/VBA/Module1
9689 bytesMacros/VBA/Module2
101994 bytesMacros/VBA/Module3
115473 bytesMacros/VBA/ThisDocument
123880 bytesMacros/VBA/_VBA_PROJECT
133020 bytesMacros/VBA/__SRP_0
14429 bytesMacros/VBA/__SRP_1
151887 bytesMacros/VBA/__SRP_2
16458 bytesMacros/VBA/__SRP_3
17630 bytesMacros/VBA/__SRP_4
18364 bytesMacros/VBA/__SRP_5
19729 bytesMacros/VBA/dir
2076 bytesObjectPool/_1687137834/CompObj
21274741 bytesObjectPool/_1687137834/Ole10Native
224980 bytesObjectPool/_1687137834/EPRINT
236 bytesObjectPool/_1687137834/ObjInfo
244096 bytesWordDocument
OLE vba
TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
IOCniberius.dllExecutable file name
IOCnimb.dllExecutable file name
SuspiciousShellExecuteAMay run an executable file or a system command
Suspiciousshell32May run an executable file or a system command
SuspiciousLibMay run code from a DLL
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
1
# of downloads :
370
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0708_3355614568218.doc
Verdict:
Malicious activity
Analysis date:
2021-07-09 01:02:02 UTC
Tags:
macros ole-embedded macros-on-open generated-doc evasion trojan hancitor ficker stealer loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Document image
Document image
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Result
Threat name:
Ficker Stealer Hancitor
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains OLE streams with PE executables
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found malware configuration
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Ficker Stealer
Yara detected Hancitor
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446230 Sample: 0708_3355614568218.doc Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 15 other signatures 2->42 8 WINWORD.EXE 305 47 2->8         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\nimb.dll, PE32 8->22 dropped 52 Document exploit detected (creates forbidden files) 8->52 12 rundll32.exe 8->12         started        signatures5 process6 process7 14 rundll32.exe 9 12->14         started        dnsIp8 30 sudepallon.com 77.222.42.67, 49166, 49170, 49171 SWEB-ASRU Russian Federation 14->30 32 srand04rf.ru 8.211.241.0, 49167, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 14->32 34 3 other IPs or domains 14->34 54 System process connects to network (likely due to code injection or exploit) 14->54 56 May check the online IP address of the machine 14->56 58 Contains functionality to inject threads in other processes 14->58 18 svchost.exe 13 14->18         started        signatures9 process10 dnsIp11 24 pospvisis.com 95.213.179.67, 49172, 49178, 80 SELECTELRU Russian Federation 18->24 26 23.21.211.162, 49169, 80 AMAZON-AESUS United States 18->26 28 3 other IPs or domains 18->28 44 System process connects to network (likely due to code injection or exploit) 18->44 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->46 48 May check the online IP address of the machine 18->48 50 3 other signatures 18->50 signatures12
Threat name:
Document-Word.Trojan.Valyria
Status:
Malicious
First seen:
2021-07-09 01:06:07 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Result
Malware family:
hancitor
Score:
  10/10
Tags:
family:fickerstealer family:hancitor downloader infostealer macro macro_on_action spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Fickerstealer
Hancitor
Process spawned unexpected child process
Malware Config
C2 Extraction:
pospvisis.com:80

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:hancitor_halo_generated
Author:Halogen Generated Rule, Corsin Camichel
Rule name:INDICATOR_OLE_ObjectPool_Embedded_Files
Author:ditekSHen
Description:Detects OLE documents with ObjectPool OLE storage and embed suspicous excutable files
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments