MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hancitor


Vendor detections: 6


Maldoc score: 11


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95
SHA3-384 hash: 44f3fc18b29baac3801481b4dd8e5456b68bd4ac680a71a14fb36ab3e116e28b5760139aa34d5665f6a93af7a774bdb2
SHA1 hash: d18f046a0fdbefb79ec85a22404e402e6e56f2bf
MD5 hash: 06ba06269873237b18c23a82da59f492
humanhash: robert-triple-july-solar
File name:1119_673423.doc
Download: download sample
Signature Hancitor
Create hunting rule
File size:329'728 bytes
First seen:2020-11-19 15:51:49 UTC
Last seen:2020-11-25 16:36:59 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 6144:/5HOE0gaCGePXRyr+tvStjMBsHHKEf/z3kG1X/tVo9:xuE0gXPByytvStABaL/Tk+g9
TLSH 6664BE13BA54CC33D067C3387E61CAAAB72ABC045F64A5DB32543F9E6F316905A21397
Reporter ffforward
Tags:Hancitor

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 18 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2280 bytesDocumentSummaryInformation
3440 bytesSummaryInformation
47890 bytes1Table
5129483 bytesData
6504 bytesMacros/PROJECT
7113 bytesMacros/PROJECTwm
83421 bytesMacros/VBA/Module1
92105 bytesMacros/VBA/Module2
101052 bytesMacros/VBA/Module3
111848 bytesMacros/VBA/ThisDocument
123508 bytesMacros/VBA/_VBA_PROJECT
13680 bytesMacros/VBA/dir
1476 bytesObjectPool/_1667265592/CompObj
15160182 bytesObjectPool/_1667265592/Ole10Native
164968 bytesObjectPool/_1667265592/EPRINT
176 bytesObjectPool/_1667265592/ObjInfo
184096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
IOCW0rd.dllExecutable file name
IOC32.exeExecutable file name
SuspiciousShellMay run an executable file or a system command
SuspiciousShellExecuteMay run an executable file or a system command
SuspiciousShell32May run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
423
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Badmacro.Doc.Em32.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.doc_shellao.UNOFFICIAL
Create hunting rule

MiscreantPunch.EXEInsideOfDoc.2.UNOFFICIAL
Create hunting rule

MiscreantPunch.EXEInsideOfDoc.1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Moving a file to the %AppData% subdirectory
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Launching a process
Creating a file
Sending a custom TCP request
Reading critical registry keys
Launching a service
Stealing user critical data
Launching a process by exploiting the app vulnerability
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Hancitor
Create hunting rule
Detection:
malicious
Classification:
expl.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/543180
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject threads in other processes
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains OLE streams with PE executables
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected Hancitor
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320687 Sample: 1119_673423.doc Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 11 other signatures 2->41 7 WINWORD.EXE 32 48 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\ya.wav, PE32 7->21 dropped 51 Document exploit detected (process start blacklist hit) 7->51 11 rundll32.exe 12 7->11         started        15 splwow64.exe 7->15         started        signatures5 process6 dnsIp7 29 nickfreitasforcongress.com 8.208.13.158, 49764, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 11->29 31 denduchor.com 185.133.40.192, 49763, 49775, 80 ADMAN-ASRU Russian Federation 11->31 33 3 other IPs or domains 11->33 53 System process connects to network (likely due to code injection or exploit) 11->53 55 Contains functionality to inject threads in other processes 11->55 57 Writes to foreign memory regions 11->57 59 2 other signatures 11->59 17 svchost.exe 16 11->17         started        signatures8 process9 dnsIp10 23 cussoricti.com 185.18.52.47, 49766, 49772, 80 WORLDSTREAMNL Spain 17->23 25 174.129.214.20, 49765, 80 AMAZON-AESUS United States 17->25 27 3 other IPs or domains 17->27 43 System process connects to network (likely due to code injection or exploit) 17->43 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->45 47 Tries to steal Instant Messenger accounts or passwords 17->47 49 2 other signatures 17->49 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95/
Threat name:
Document-Word.Dropper.SDrop
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 15:53:31 UTC
File Type:
Document
Extracted files:
29
AV detection:
20 of 28 (71.43%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=37pxtu2vyeey2tgov5czcianguaavwdklbo7oj5t47tm67ovr2kq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro spyware
Link:
https://tria.ge/reports/201119-y5pqf6m5q2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor
Create hunting rule
Author:J from THL <j@techhelplist.com>
Description:Memory string yara for Hancitor
Rule name:win_hancitor_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments