ioc[.]one - OSINT Cyber Threat Intelligence Database

VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Native Api - T1575 Visual Basic - T1059.005 Execution Through Api - T1106

Show in Graph

Common Information

Type	Value
UUID	b72e0d06-2502-4ad2-b3c4-40415d4e50f1
Fingerprint	bc1d099264bc42ee
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 22, 2016, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick
Title	VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick
Detected Hints/Tags/Attributes	43/2/58

Source URLs

	Redirection	Url
Details	Source	https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/
Details	Source	https://unit42.paloaltonetworks.com/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com
Details	paloaltonetworks.com	researchcenter.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	Url	1	http://moatleftbet.com/sl/gate.php
Details	Url	1	http://mopejusron.ru/sl/gate.php
Details	Url	1	http://muchcocaugh.com/sl/gate.php
Details	Url	1	http://ningtoparec.ru/sl/gate.php
Details	Url	1	http://nodosandar.com/ls/gate.php
Details	Url	1	http://nodosandar.com/zapoy/gate.php
Details	Url	1	http://ritbeugin.ru/ls/gate.php
Details	Url	1	http://rutithegde.ru/sl/gate.php
Details	Url	1	http://surofonot.ru/sl/gate.php
Details	Url	1	http://uldintoldhin.com/sl/gate.php
Details	Url	1	http://unjustotor.com/sl/gate.php
Details	Url	1	http://wassuseidund.ru/sl/gate.php
Details	Yara rule	1	rule hancitor_dropper : vb_win32api { meta: author = "Jeff White - jwhite@paloaltonetworks @noottrak" date = "18AUG2016" hash1 = "03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a" hash2 = "4b3912077ef47515b2b74bc1f39de44ddd683a3a79f45c93777e49245f0e9848" hash3 = "a78972ac6dee8c7292ae06783cfa1f918bacfe956595d30a0a8d99858ce94b5a" strings: $api_01 = { 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 } $api_02 = { 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 } $api_04 = { 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 } $magic = { 50 4F 4C 41 } condition: uint32be(0) == 0xD0CF11E0 and all of ($api_*) and $magic }
Details	Domain	1	levi.com
Details	Domain	1	metlife.com
Details	Domain	1	betsuriin.com
Details	Domain	2	callereb.com
Details	Domain	1	evengsosandpa.ru
Details	Domain	1	felingdoar.ru
Details	Domain	1	gmailsign.info
Details	Domain	1	hecksafaor.com
Details	Domain	1	heheckbitont.ru
Details	Domain	1	hianingherla.com
Details	Domain	1	hihimbety.ru
Details	Domain	1	meketusebet.ru
Details	Domain	1	mianingrabted.ru
Details	Domain	1	moatleftbet.com
Details	Domain	1	mopejusron.ru
Details	Domain	1	muchcocaugh.com
Details	Domain	1	ningtoparec.ru
Details	Domain	1	nodosandar.com
Details	Domain	1	ritbeugin.ru
Details	Domain	1	rutithegde.ru
Details	Domain	1	surofonot.ru
Details	Domain	1	uldintoldhin.com
Details	Domain	1	unjustotor.com
Details	Domain	1	wassuseidund.ru
Details	File	323	winword.exe
Details	File	748	kernel32.dll
Details	File	11	winhost.exe
Details	File	1	com_contract.doc
Details	File	1	generic.doc
Details	File	1	price_list.doc
Details	File	101	gate.php
Details	sha256	1	03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a
Details	sha256	1	4b3912077ef47515b2b74bc1f39de44ddd683a3a79f45c93777e49245f0e9848
Details	sha256	1	a78972ac6dee8c7292ae06783cfa1f918bacfe956595d30a0a8d99858ce94b5a
Details	Url	1	http://betsuriin.com/sl/gate.php
Details	Url	1	http://callereb.com/zapoy/gate.php
Details	Url	1	http://evengsosandpa.ru/ls/gate.php
Details	Url	1	http://felingdoar.ru/sl/gate.php
Details	Url	1	http://gmailsign.info/plasma/gate.php
Details	Url	1	http://hecksafaor.com/zapoy/gate.php
Details	Url	1	http://heheckbitont.ru/sl/gate.php
Details	Url	1	http://hianingherla.com/sl/gate.php
Details	Url	1	http://hihimbety.ru/sl/gate.php
Details	Url	1	http://meketusebet.ru/sl/gate.php
Details	Url	1	http://mianingrabted.ru/zapoy/gate.php