MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebe7a2c72e2e89732d435a7d491c9cd85f125b1584bb807f921b03dff9d16b94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Hancitor

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	ebe7a2c72e2e89732d435a7d491c9cd85f125b1584bb807f921b03dff9d16b94
SHA3-384 hash:	319856a86384cea005b155ed30d5d6c727fef924ae6db100bfd1eda51eafe098fd25905d7b8448dcdb7fb68e163fe4dd
SHA1 hash:	b809c0a54e70d8d2377fc37a17d952ec98698670
MD5 hash:	deef80792ae5c52d3553453d124c0457
humanhash:	moon-hamper-seventeen-mango
File name:	if.dll
Download:	download sample
Signature	Hancitor Create hunting rule
File size:	1'567'744 bytes
First seen:	2022-01-31 15:54:40 UTC
Last seen:	2022-02-01 13:50:15 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	3007de2190e837ce8fdd14df41e83963 (1 x Hancitor)
ssdeep	24576:WFZnAG6MeN+q37iSFj5W56rmDIM7xRPT6ULWXGeME3PwQxf:WFWnrlj5kjRAXmEPwQ
Threatray	22 similar samples on MalwareBazaar
TLSH	T1E2756D22BE8F9437D4B6163C8C1BA65994397D113E28946B7BF40E4CCF3A7807D1929B
File icon (PE):
dhash icon	399998ecd4d46c0e (573 x Quakbot, 293 x GCleaner, 137 x ArkeiStealer)
Reporter	James_inthe_box
Tags:	dll Hancitor

Intelligence

File Origin

# of uploads :

# of downloads :

808

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Hancitor

Link:

https://www.capesandbox.com/analysis/228540/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Creating a file in the Program Files subdirectories

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/61f8065bfc92af0d80a8a1d3/reports/bf8d9970-e5d3-42b2-bfad-bd14d01542d7/overview

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/55f96c8d-794d-4b30-9737-4b2a4fb57935

Result

Threat name:

Hancitor

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/930988

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ebe7a2c72e2e89732d435a7d491c9cd85f125b1584bb807f921b03dff9d16b94/

Threat name:

Win32.Trojan.Hancitor

Status:

Malicious

First seen:

2022-01-31 15:54:28 UTC

File Type:

PE (Dll)

Extracted files:

140

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5pt2frzof2exglkdlj6ushe43bprewyvqs5ya74sdmb576ornoka._file

Verdict:

malicious

Label(s):

hancitor

Hancitor

245dd0bff1c08559e5e68ea25aadbf5bc6ebef5831ec19c34d8d2021747157fe

Hancitor

2c19a75d22fd1a7d9b088407217f9b4534ba9c28253ac69b25f4408086285538

Hancitor

571cba0431acea4739c5248de1b1d33e76e995b3c7454f4d88d2785ade6fdf74

Hancitor

6f67beb15edea5f47a2ca655bca9a534e5944e3704a916a2b3d00ed7790e25f0

Hancitor

89885adcbb030fd0251b08cc401392e90d4ad948f6cfc68dda34472c455a8951

Hancitor

c1134b990e09241e2894e23e2b853e64f5c49ee1555d3a2da8f9c5d99edbb233

Hancitor

+ 12 additional samples on MalwareBazaar

Result

Malware family:

hancitor

Score:

10/10

Tags:

family:hancitor botnet:3101_sjiuwe downloader

Link:

https://tria.ge/reports/220131-tcsn7ahgal/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Blocklisted process makes network request

Hancitor

Malware Config

C2 Extraction:

http://cinenmera.com/9/forum.php
http://biquagin.ru/9/forum.php
http://joirwsin.ru/9/forum.php

Unpacked files

SH256 hash:

5c92ece6b827639ab977936648135c2eeecdafa4054bfc6344fb2d0ac608ee79

MD5 hash:

56ed18a848210196f397332f7eea539c

SHA1 hash:

88db91274d6a18359805bacdea6f364ef2d04c7d

Detections:

win_hancitor_auto

Link:

https://www.unpac.me/results/f2252513-019c-4f15-a64c-16370adff176/

SH256 hash:

ebe7a2c72e2e89732d435a7d491c9cd85f125b1584bb807f921b03dff9d16b94

MD5 hash:

deef80792ae5c52d3553453d124c0457

SHA1 hash:

b809c0a54e70d8d2377fc37a17d952ec98698670

Link:

https://www.unpac.me/results/f2252513-019c-4f15-a64c-16370adff176/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ebe7a2c72e2e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.31

Link:

https://yomi.yoroi.company/submissions/ebe7a2c72e2e89732d435a7d491c9cd85f125b1584bb807f921b03dff9d16b94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Hancitor Create hunting rule
Author:	threathive
Description:	Hancitor Payload

Rule name:	win_hancitor_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.hancitor.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/228540/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample