Hancitor

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Type
Loader
Origin
Unknown
First seen
1 January, 2014
Last seen
7 January, 2020
Also known as
Tordal
Chanitor
Global rank
25
Week rank
27
Month rank
27
IOCs
892

What is Hancitor malware?

Hancitor, sometimes called Tordal and Chanitor is a loader designed to install other malware on the victim’s PC – most often it’s either Pony, Vawtrak, or DELoader. The malware has been around since 2014 and it is distributed to other users as a service by the original creators.

This malware can’t be considered dangerous since even Microsoft's built-in antivirus Windows Defender can detect it. On top of that, being distributed in email spam campaigns, in a lot of cases emails don’t even reach their targets, being intercepted by spam filters. In essence, the only people truly in danger of getting infected by Hancitor, are those who still utilize older Windows version like Windows seven or earlier and who either don’t have or disabled their antivirus software. Curiously, despite such a limited “target audience”, Hancitor creators continue to update this malware and it is still very active to this day.

General description of the Hancitor Trojan

Creators of Hancitor provide their loader as a service to other criminals, helping to install various malware on the target PCs. The people behind Hancitor are extremely active and organized. Some researchers suspect that they work full business weeks since the surge of Hancitor attacks usually takes place on business days and falls off on the weekends, which suggests that the hackers responsible have a work structure and a schedule.

Despite that, Hancitor loader has not changed very much since 2016 and to this day relies on very simple execution and evasion techniques which makes it’s detection and prevention relatively easy, especially for corporate targets with adequate levels of cybersecurity.

The 2016 version of the malware had 66 functions and had the size of 20 480 bytes while the 2018 version is made up of 51 functions that amount to the size of 20 992 bytes. One of the main differences between the versions is the lack of connectivity check functionality in the 2018 iteration. As such, the older iteration of Hancitor would try to connect to Google.com during execution to check for connections whereas the never iteration fully omits this step. The newer version also makes use of the RC4 encryption and contains some updated commands.

Not unlike other malware, Hancitor Trojan uses several attack vectors to maximize the success rate. Hancitor creators have exploited uncommon API abuse and PowerShell methods among others to ensure the successful infection.

Over the last two years, over 80 variations of Hancitor were detected in the wild. Usually, a new variation would be created simply to define a new variable for a different campaign, while in other times the basic functions of the loader were completely changed and rewritten. However, such instances were rather rare and highly rewritten samples didn’t stick around for long. Some researchers believe that in such instances the malware authors were testing different approaches and keeping track of the infection rate to determine what changes should remain and which innovations should go.

Hancitor malware analysis

A video recorded on the ANY.RUN malware hunting service displays the execution process of Hancitor.

process graph hancitor execution

Figure 1: A visual graph of Hancitor execution processes generated by ANY.RUN

text report of the hancitor malware analysis

Figure 2: A customizable text report shown here was generated in the ANY.RUN malware huting service

Hancitor execution process

Because of its main purpose, the execution of Hancitor doesn't look that impressive. Since the most common vector of attack to infect users' devices is malicious spam campaigns, Hancitor mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware either use the lure to trick the victim into enabling macros or uses an exploit. After that Hancitor will be either downloaded from the C2 server or dropped from an Office file. The next step is its execution during which the malware downloads the main payload, usually a trojan such as Pony, Vawtrak, or DELoader.

Distribution of Hancitor

Hancitor trojan is usually distributed in malspam campaigns as a malicious Microsoft Office file attachment. However, since most organizations started improving their cybersecurity measures some campaigns distributing Hancitor contain a link pointing at the website from where this loader is downloaded.

In the case of distribution using .DOC attachments, the user must first download the file and then activate macros, ignoring multiple security warning. Malware authors use lures to trick users into doing that. Some phishing emails contain an invoice or a fake payment related document, trying to make the user download it. In addition, attackers provide instruction to enable macros. If the user complies, malicious macros will download Hancitor or it will be dropped from the document.

In some malspam campaigns, Hancitor was delivered to victims with .RTF documents which used an exploit to run the PowerShell command which downloaded the loader to the computer.

How to detect Hancitor using ANY.RUN?

Analysts can take a look at what modules malware uses. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look.

modules loaded by hancitor Figure 3: Modules loaded by Hancitor

Conclusion

Despite its simplicity and vulnerability to even simple countermeasures, Hancitor Trojan somehow remains to be an active malware which continues to target it is limited demographic, evidently with a good success rate. The authors of this loader are extremely active and regularly come up with new iterations of Hancitor.

Researchers can take advantage of malware hunting services such as ANY.RUN to take Hancitor samples apart and study this loader in-depth.

IOCs

IP addresses
213.186.33.2
209.99.40.220
213.186.33.4
212.58.3.66
202.124.241.203
216.108.227.103
63.247.87.2
185.47.131.52
82.200.247.241
177.12.164.114
81.90.180.191
185.22.65.8
176.103.48.224
83.220.141.232
185.74.254.26
88.119.179.195
122.114.134.224
167.114.24.10
164.132.44.218
79.143.190.72
Hashes
1199b24d407ccdddf83fafaf8d63e971edaafded99214bee6b2ad4906729e4d7
e60ffcbb61eb448085a0375a2ec8f23fdd48198e1a7bc73090320bb4b7705e6e
45844543c5cdb28d6e67f38e8efbf66a6d40d1dd376de434e2786541610b6cd5
aa5e9fed3431b832eac02e777df648318d8e06740ed99021708c449972588f23
433c702d875c18e2b56c4252490dbf854f42cef81fccff714321d751e496c500
d9e9bcc01d4742ebf4294ff580422e01b841741404968ba9fd4bb2d6396d8148
d16f1d82ace24ed81113f0ef315e96a2e4d8a28f848e33f59907078b9dd670a9
5fb99412ea57178c18f2fcb8ece502ca9101e25fddb0801c3baa54725a276079
55ede14b2dbad82dd5fcc13fd8ee5a5a8a419621f4958f88643e3f944144660e
463714fb98a2d18aaa5b6b29782822b4971034de9ea9da06708974cabcc999aa
02258bfbe7dd5966e0fcc342277f0ce537444c62aeed9adb1b913c48b6c7f2ed
78030746edebb36cc6a7e42456e5186fc9fe317ae9f39d0ec03da91262c49bab
4fc205955c7c12fce971e664cbad64b674b6d2e815ba0eca6d26b450b391212e
70d16fb632ff6b12eb08d873bee35d27a82df9f76ec4a21a1c09df7befa6ca8c
f5fa0a0f444d33c8485450beb01dd5b338c15996fd48670e2727bf3552e6a59d
e36d83db3ee1e735d8148f0b6dc38c8fb238af563ec53d9aab197909b678dd61
ee3f6c3fe59b1f5925699e91f49ea5439c0daae112173a303d2c25dd36a42b35
4064ac41dbf2e965456b48d605e61387fbe7ba624b6dec7d8755d8040c17f171
d3fad6911b80be1d64eb88ba23fecbcddc2faa73017b6dbcf78578eff47552ed
5e42ff5404aa8632852afeab9a95187be2bc8a44c37766efa2643b8f3a0bf929
Domains
qxq.ddns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
wordpress.roucou.fr
tp00.everesttech.net.akadns.net
sezmakzimpara.com
www.the-converter.net
www.hoteltruite.com
fauxflower.com.au
excel.engalere.com
wonyheghi.com
hinaningutca.com
elesengrity.com
beestunduras.com
hismosedkaj.com
huncribeen.com
ursreklam.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More