File name:

GAM_9996757243586095.vbs

Full analysis: https://app.any.run/tasks/59a4c94b-c9d3-4b7c-b29b-1f42740dc7b6
Verdict: Malicious activity
Threats:

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Malware Trends Tracker     >>>
Analysis date: December 02, 2019, 20:23:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
trojan
hancitor
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

E0F8841CF09ED84CAFB8B0D06BE92724

SHA1:

059C26029C9BB8E1A230534E08A798618BF9870B

SHA256:

729AAA301C1B3CBF2CC8702DD6A1900578CDBCB609BED2B3438552E852AE21BE

SSDEEP:

3072:3F5ql1vw1u70zcBYTmtEofvsZc8bg/xkZWlHQj09wXPn/D+EZhbZGtHq56C05iRW:pPPRhbh/tQJbFAPEGhgqC75F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 608)

    • Uses SVCHOST.EXE for hidden code execution

      • regsvr32.exe (PID: 608)

    • Connects to CnC server

      • svchost.exe (PID: 2320)

    • HANCITOR was detected

      • svchost.exe (PID: 2320)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 2464)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2464)

    • Checks for external IP

      • svchost.exe (PID: 2320)

    • Executed via WMI

      • regsvr32.exe (PID: 328)

  • INFO

    • Manual execution by user

      • WScript.exe (PID: 2464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cnt | Help File Contents (100)
No data.
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs wscript.exe regsvr32.exe no specs regsvr32.exe no specs #HANCITOR svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
328regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txtC:\Windows\system32\regsvr32.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
608 -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txtC:\Windows\SysWOW64\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1644"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\GAM_9996757243586095.vbs.cntC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imagehlp.dll
2320C:\Windows\System32\svchost.exeC:\Windows\SysWOW64\svchost.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2464"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\GAM_9996757243586095.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
522
Read events
506
Write events
16
Delete events
0

Modification events

(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E3070C00010002001400180030003B01010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(2464) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000D993138B4EA9D501
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2320) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2464WScript.exeC:\Users\admin\AppData\Local\Temp\FEN.txt
MD5:
SHA256:
2464WScript.exeC:\Users\admin\AppData\Local\Temp\PbzVeQP.txtexecutable
MD5:
SHA256:
2464WScript.exeC:\Users\admin\AppData\Local\Temp\FEN.txt.zipcompressed
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2320
svchost.exe
POST
200
178.170.248.82:80
http://laticivue.com/4/forum.php
RU
text
12 b
malicious
2320
svchost.exe
GET
200
23.21.72.212:80
http://api.ipify.org/
US
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2320
svchost.exe
23.21.72.212:80
api.ipify.org
Amazon.com, Inc.
US
malicious
178.170.248.82:80
laticivue.com
Electrics Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 23.21.72.212
  • 50.19.218.16
  • 23.23.229.94
  • 23.23.83.153
  • 54.225.169.250
  • 54.225.243.96
  • 54.225.92.64
  • 54.243.147.226
shared
laticivue.com
  • 178.170.248.82
malicious

Threats

PID
Process
Class
Message
2320
svchost.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2320
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Hancitor POST Data send
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GAM_9996757243586095.vbs