Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
72
Global rank
132 infographic chevron month
Month rank
128 infographic chevron week
Week rank
0
IOCs

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Loader
Type
Unknown
Origin
1 January, 2014
First seen
15 September, 2025
Last seen
Also known as
Tordal
Chanitor

How to analyze Hancitor with ANY.RUN

Type
Unknown
Origin
1 January, 2014
First seen
15 September, 2025
Last seen

IOCs

IP addresses
213.186.33.2
74.208.236.239
43.255.154.47
77.246.147.110
109.71.254.182
194.135.33.165
154.216.78.126
154.216.69.43
154.216.84.200
154.216.78.119
154.216.69.57
154.216.85.214
154.216.69.34
154.216.82.18
154.216.84.211
154.216.82.27
154.216.84.218
154.216.78.108
154.216.82.0
154.216.85.196
Hashes
eea0083ac04f8bfb3042acd615cabd7be77dee410c8db229b5980379b224e93f
d9e9bcc01d4742ebf4294ff580422e01b841741404968ba9fd4bb2d6396d8148
e60ffcbb61eb448085a0375a2ec8f23fdd48198e1a7bc73090320bb4b7705e6e
f5fa0a0f444d33c8485450beb01dd5b338c15996fd48670e2727bf3552e6a59d
33f858c7a764b544822ef18d46c96d07cc9187d147cc055d74abefe86a74568f
433c702d875c18e2b56c4252490dbf854f42cef81fccff714321d751e496c500
31af1b2c498f4e71e25433465f3c12a28feccf8d5ac8deaa5479a3a55bf8c1d2
d63b932fcdc8f217809347d0f5b1bd95ffebb5441645c344c476c74ebced9d45
02258bfbe7dd5966e0fcc342277f0ce537444c62aeed9adb1b913c48b6c7f2ed
2c6acafd23370e2c8cb549120034b40aea835a382e0d8917801e802507a8dd6d
584a53f8eb80dd71a81e908ab5e88fc3548fa97553ec40b05447dbb7b1bba4da
5e42ff5404aa8632852afeab9a95187be2bc8a44c37766efa2643b8f3a0bf929
194b3a2e69218821006e838bd965f90b9a24eba7ccc59446549a0b37bbfd7247
14a7624f2235da4073319e49f18f5097d2aebe4e4260852e7f7a31171842b27c
ad976c2ad23b82591212d618538a402bff772aee05a6ac94b7bdf590f872d63a
aa5e9fed3431b832eac02e777df648318d8e06740ed99021708c449972588f23
69d31631316a841ae89e81d2efdcb2b3003e6c41da09a096231605d9ff9292ae
cd78243e2a4e94cd61aa95edfb4708ceeed5a3ed50ee9b81c57d0935908eb23e
78030746edebb36cc6a7e42456e5186fc9fe317ae9f39d0ec03da91262c49bab
846d1e1d019d5bc2a05940b119e19a07643f2e3851184f843960cfd949280894
Domains
aselemek.com
eummentur.ru
bilighbohooll.ru
lielftworiss.com
belcineloweek.ru
rindicatle.ru
hadevatjulps.com
thistrespor.ru
sibiquan.ru
witakilateg.com
mymooney.ru
laadlifashionworld.com
diverbsez.ru
mamaboss.io
hersdintfortho.ru
nepbag.com
webdev-wazoomstudio.online
thegbars.net
thougolograrly.ru
ulaginceter.com
URLs
http://justhardogot.ru/4/forum.php
http://utteronhim.ru/4/forum.php
http://ludiesibut.ru/8/forum.php
http://satursed.com/8/forum.php
http://sameastar.ru/8/forum.php
http://fruciand.com/8/forum.php
http://forticheire.ru/8/forum.php
http://nentrivend.ru/8/forum.php
http://plogesuct.com/4/forum.php
http://orialoussin.ru/4/forum.php
http://cationfrob.ru/4/forum.php
http://pritupertion.com/4/forum.php
http://nanogeelr.com/9/forum.php
http://ockpitehou.ru/9/forum.php
http://thervidrmet.ru/4/forum.php
http://frobenalin.ru/4/forum.php
http://lumentsawfu.ru/9/forum.php
http://thowerteigime.com/8/forum.php
http://euvereginumet.ru/8/forum.php
http://rhopulforopme.ru/8/forum.php
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 1127
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 2848
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 2797
comments 0

What is Hancitor malware?

Hancitor, sometimes called Tordal and Chanitor is a loader designed to install other malware on the victim’s PC – most often it’s either Pony, Vawtrak, or DELoader. The malware has been around since 2014 and it is distributed to other users as a service by the original creators via malspam.

This malware can’t be considered dangerous since even Microsoft's built-in antivirus Windows Defender can detect it. On top of that, being distributed in malspam campaigns, in a lot of cases emails don’t even reach their targets, being intercepted by spam filters. In essence, the only people truly in danger of getting infected by Hancitor, are those who still utilize older Windows versions like Windows seven or earlier and who either don’t have or disabled their antivirus software. Curiously, despite such a limited “target audience”, Hancitor creators continue to update this malware and it is still very active to this day.

General description of the Hancitor Trojan

Creators of Hancitor provide their loader as a service to other criminals, helping to install various malware on the target PCs. The people behind Hancitor are extremely active and organized. Some researchers suspect that they work full business weeks since the surge of Hancitor attacks usually takes place on business days and falls off on the weekends, which suggests that the hackers responsible have a work structure and a schedule.

Despite that, Hancitor loader has not changed very much since 2016 and to this day relies on very simple execution and evasion techniques which makes its detection and prevention relatively easy, especially for corporate targets with adequate levels of cybersecurity.

According to the Hancitor analysis, the 2016 version of the malware had 66 functions and had the size of 20 480 bytes while the 2018 version is made up of 51 functions that amount to the size of 20 992 bytes. One of the main differences between the versions is the lack of connectivity check functionality in the 2018 iteration. As such, the older iteration of Hancitor would try to connect to Google.com during execution to check for connections whereas the never iteration fully omits this step. The newer version also makes use of the RC4 encryption and contains some updated commands.

Not unlike other malware, Hancitor Trojan uses several attack vectors to maximize the success rate. Hancitor creators have exploited uncommon API abuse and PowerShell methods among others to ensure the successful infection.

Over the last two years, over 80 variations of Hancitor were detected in the wild. Usually, a new variation would be created simply to define a new variable for a different campaign, while at other times the basic functions of the loader were completely changed and rewritten. However, such instances were rather rare, and highly rewritten samples didn’t stick around for long. Some researchers believe that in such instances the malware authors were testing different approaches and keeping track of the infection rate to determine what changes should remain and which innovations should go.

Hancitor analysis

A video recorded on the ANY.RUN malware hunting service displays the execution process for Hancitor analysis.

process graph hancitor execution

Figure 1: A visual graph of Hancitor execution processes generated by ANY.RUN

text report of the hancitor malware analysis

Figure 2: A customizable text report shown here was generated in the ANY.RUN malware hunting service

Hancitor malware execution process

Because of its main purpose, the execution of Hancitor doesn't look that impressive. Since the most common vector of attack to infect users' devices is malicious spam campaigns, Hancitor mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware either use the lure to trick the victim into enabling macros or uses an exploit. After that Hancitor will be either downloaded from the C2 server or dropped from an Office file. The next step is its execution during which the malware downloads the main payload, usually a trojan such as Pony, Vawtrak, or DELoader.

Distribution of Hancitor

Based on the Hancitor analysis, the trojan is usually distributed in malspam campaigns as a maldoc, malicious Microsoft Office file attachment. However, since most organizations started improving their cybersecurity measures some campaigns distributing Hancitor contain a link pointing at the website from where this loader is downloaded.

In the case of distribution using .DOC attachments, the user must first download the file and then activate macros, ignoring multiple security warnings. Malware authors use lures to trick users into doing that. Some phishing emails contain an invoice or a fake payment-related document, trying to make the user download it. In addition, attackers provide instructions to enable macros. If the user complies, malicious macros will download Hancitor or it will be dropped from the maldoc.

In some malspam campaigns, Hancitor was delivered to victims with .RTF maldocs which used an exploit to run the PowerShell command which downloaded the loader to the computer.

How to detect Hancitor using ANY.RUN?

Analysts can take a look at what modules malware uses. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In the "Advanced details of process" window switch to the "Modules" tab and take a closer look.

modules loaded by hancitor Figure 3: Modules loaded by Hancitor

Conclusion

Despite its simplicity and vulnerability to even simple countermeasures, Hancitor Trojan somehow remains to be an active malware that continues to target it is limited demographic, evidently with a good success rate the same as Zloader. The authors of Hancitor are extremely active and regularly come up with new iterations of this loader.

Researchers can take advantage of malware hunting services such as ANY.RUN to take malware samples apart and perform the in-depthHancitor analysis.

HAVE A LOOK AT

Interlock screenshot
Interlock
interlock
Interlock is a relatively recent entrant into the ransomware landscape. First identified in 2023, it's a multi-functional malware strain used in ransomware-as-a-service (RaaS) operations.
Read More
Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More