analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

GAM_9996757243586095.vbs

Full analysis: https://app.any.run/tasks/59a4c94b-c9d3-4b7c-b29b-1f42740dc7b6
Verdict: Malicious activity
Threats:

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Malware Trends Tracker     >>>
Analysis date: December 02, 2019, 20:23:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
trojan
hancitor
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

E0F8841CF09ED84CAFB8B0D06BE92724

SHA1:

059C26029C9BB8E1A230534E08A798618BF9870B

SHA256:

729AAA301C1B3CBF2CC8702DD6A1900578CDBCB609BED2B3438552E852AE21BE

SSDEEP:

3072:3F5ql1vw1u70zcBYTmtEofvsZc8bg/xkZWlHQj09wXPn/D+EZhbZGtHq56C05iRW:pPPRhbh/tQJbFAPEGhgqC75F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 608)

    • Connects to CnC server

      • svchost.exe (PID: 2320)

    • HANCITOR was detected

      • svchost.exe (PID: 2320)

    • Uses SVCHOST.EXE for hidden code execution

      • regsvr32.exe (PID: 608)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2464)

    • Executed via WMI

      • regsvr32.exe (PID: 328)

    • Checks for external IP

      • svchost.exe (PID: 2320)

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 2464)

  • INFO

    • Manual execution by user

      • WScript.exe (PID: 2464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cnt | Help File Contents (100)
No data.
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs wscript.exe regsvr32.exe no specs regsvr32.exe no specs #HANCITOR svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1644"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\GAM_9996757243586095.vbs.cntC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2464"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\GAM_9996757243586095.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
328regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txtC:\Windows\system32\regsvr32.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
608 -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txtC:\Windows\SysWOW64\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2320C:\Windows\System32\svchost.exeC:\Windows\SysWOW64\svchost.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
522
Read events
506
Write events
16
Delete events
0

Modification events

(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E3070C00010002001400180030003B01010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000D993138B4EA9D501
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2464WScript.exeC:\Users\admin\AppData\Local\Temp\FEN.txt
MD5:
SHA256:
2464WScript.exeC:\Users\admin\AppData\Local\Temp\FEN.txt.zipcompressed
MD5:DE2838107EB2A503BC6866FFEAF8CDE5
SHA256:4232CCC048AE1522A64BCD74A0C486D2ABEA36FA685C352E5C35BFB4E913165C
2464WScript.exeC:\Users\admin\AppData\Local\Temp\PbzVeQP.txtexecutable
MD5:DAA9B06974FA5963B39E0120BABE138C
SHA256:F01881DBFF4546BD2D66A49CC01EE09E306C025AAA4DF16022EB826426F2E004
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2320
svchost.exe
GET
200
23.21.72.212:80
http://api.ipify.org/
US
text
14 b
shared
2320
svchost.exe
POST
200
178.170.248.82:80
http://laticivue.com/4/forum.php
RU
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2320
svchost.exe
23.21.72.212:80
api.ipify.org
Amazon.com, Inc.
US
malicious
178.170.248.82:80
laticivue.com
Electrics Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 23.21.72.212
  • 50.19.218.16
  • 23.23.229.94
  • 23.23.83.153
  • 54.225.169.250
  • 54.225.243.96
  • 54.225.92.64
  • 54.243.147.226
shared
laticivue.com
  • 178.170.248.82
malicious

Threats

PID
Process
Class
Message
2320
svchost.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2320
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Hancitor POST Data send
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GAM_9996757243586095.vbs