MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hancitor


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1
SHA3-384 hash: 39417c472f17e19c824a15076de33cb23cc3cb39cee3f436dbc1a6dfdd59b0e48a9aee2d4ec2a968805e99eff2605130
SHA1 hash: 65731d02a9a9899b1ee72e822d3dab2129fffa9a
MD5 hash: e8a8c90d7da67da7ee790e9e49127cf7
humanhash: grey-eleven-lima-march
File name:han.exe
Download: download sample
Signature Hancitor
Create hunting rule
File size:512'000 bytes
First seen:2020-10-14 17:00:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 09bd7858ed4ec198b5f5c8e9ff37e5d1 (1 x Hancitor)
ssdeep 3072:5aJU0yU9VRyDIdp9D9d8GpfJd5DSqvOYxdZo5KKtRmHeuYHxrOxf:5asKdp95mG/2qJduQSRoeuWx
Threatray 394 similar samples on MalwareBazaar
TLSH FCB48024968EB34DE6CBBAB0DA71FBE24AC12CD2909C71C583B57DE4ED192E144344BD
Reporter Anonymous
Tags:Hancitor

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70987/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/491578
Signature
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 17:02:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rbh55vwmw7qky7sh7pdctfpt6ifvmpajh6fyczthbgve3wdzpyq._file
Verdict:
malicious
Similar samples:
12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b
Hancitor
23155ae9b7f7b7884dfdc820fd77f7600875dafcf39df4d941240f90fe06ae2d
Hancitor
6e079394b3a3085d572975115b334d813a79cd5833509b6afa45542687a5dfce
Hancitor
a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea
Hancitor
bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
Hancitor
d2dc9258298926747843158ea28506df874f0810ba986112715ddee022455c1f
Hancitor
d62a40010c67fd83e79a6307c7be774a26ddf38f05c71785936227f3b6882584
Hancitor
e52d446a99ecb9ca9f18365bab6f30e2cc1f6a97f668ea6ac38ce2a9b9ae3784
Hancitor
e892dbc4036d53ede078f61452515f549d8bac9a471adff6c3a9bad0b99965d2
Hancitor
e892e7f5b3919e1c3d92ee26e7b4313e753cad797e3397138a1ccef2b1289b1d
Hancitor
+ 384 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201014-bzt48wbbj6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1
MD5 hash:
e8a8c90d7da67da7ee790e9e49127cf7
SHA1 hash:
65731d02a9a9899b1ee72e822d3dab2129fffa9a
Link:
https://www.unpac.me/results/b933d551-be1b-478b-8e22-d9e1438bcdb9/
SH256 hash:
e85ef9c26fe0fb7bc53d32ce88a3245d0212e2fae53410539d944a6a52ba5724
MD5 hash:
172212826ba474b174a98d51c258bcfe
SHA1 hash:
00c72684a0d9d4fbffc12ad513598c2e11e2df2d
Link:
https://www.unpac.me/results/b933d551-be1b-478b-8e22-d9e1438bcdb9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Locky
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor
Create hunting rule
Author:J from THL <j@techhelplist.com>
Description:Memory string yara for Hancitor

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70987/

Comments