Hancitor

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Type
Loader
Origin
Unknown
First seen
1 January, 2014
Last seen
20 May, 2022
Also known as
Tordal
Chanitor
Global rank
28
Week rank
29
Month rank
26
IOCs
16970

What is Hancitor malware?

Hancitor, sometimes called Tordal and Chanitor is a loader designed to install other malware on the victim’s PC – most often it’s either Pony, Vawtrak, or DELoader. The malware has been around since 2014 and it is distributed to other users as a service by the original creators via malspam.

This malware can’t be considered dangerous since even Microsoft's built-in antivirus Windows Defender can detect it. On top of that, being distributed in malspam campaigns, in a lot of cases emails don’t even reach their targets, being intercepted by spam filters. In essence, the only people truly in danger of getting infected by Hancitor, are those who still utilize older Windows versions like Windows seven or earlier and who either don’t have or disabled their antivirus software. Curiously, despite such a limited “target audience”, Hancitor creators continue to update this malware and it is still very active to this day.

General description of the Hancitor Trojan

Creators of Hancitor provide their loader as a service to other criminals, helping to install various malware on the target PCs. The people behind Hancitor are extremely active and organized. Some researchers suspect that they work full business weeks since the surge of Hancitor attacks usually takes place on business days and falls off on the weekends, which suggests that the hackers responsible have a work structure and a schedule.

Despite that, Hancitor loader has not changed very much since 2016 and to this day relies on very simple execution and evasion techniques which makes its detection and prevention relatively easy, especially for corporate targets with adequate levels of cybersecurity.

According to the Hancitor analysis, the 2016 version of the malware had 66 functions and had the size of 20 480 bytes while the 2018 version is made up of 51 functions that amount to the size of 20 992 bytes. One of the main differences between the versions is the lack of connectivity check functionality in the 2018 iteration. As such, the older iteration of Hancitor would try to connect to Google.com during execution to check for connections whereas the never iteration fully omits this step. The newer version also makes use of the RC4 encryption and contains some updated commands.

Not unlike other malware, Hancitor Trojan uses several attack vectors to maximize the success rate. Hancitor creators have exploited uncommon API abuse and PowerShell methods among others to ensure the successful infection.

Over the last two years, over 80 variations of Hancitor were detected in the wild. Usually, a new variation would be created simply to define a new variable for a different campaign, while at other times the basic functions of the loader were completely changed and rewritten. However, such instances were rather rare, and highly rewritten samples didn’t stick around for long. Some researchers believe that in such instances the malware authors were testing different approaches and keeping track of the infection rate to determine what changes should remain and which innovations should go.

Hancitor analysis

A video recorded on the ANY.RUN malware hunting service displays the execution process for Hancitor analysis.

process graph hancitor execution

Figure 1: A visual graph of Hancitor execution processes generated by ANY.RUN

text report of the hancitor malware analysis

Figure 2: A customizable text report shown here was generated in the ANY.RUN malware hunting service

Hancitor malware execution process

Because of its main purpose, the execution of Hancitor doesn't look that impressive. Since the most common vector of attack to infect users' devices is malicious spam campaigns, Hancitor mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware either use the lure to trick the victim into enabling macros or uses an exploit. After that Hancitor will be either downloaded from the C2 server or dropped from an Office file. The next step is its execution during which the malware downloads the main payload, usually a trojan such as Pony, Vawtrak, or DELoader.

Distribution of Hancitor

Based on the Hancitor analysis, the trojan is usually distributed in malspam campaigns as a maldoc, malicious Microsoft Office file attachment. However, since most organizations started improving their cybersecurity measures some campaigns distributing Hancitor contain a link pointing at the website from where this loader is downloaded.

In the case of distribution using .DOC attachments, the user must first download the file and then activate macros, ignoring multiple security warnings. Malware authors use lures to trick users into doing that. Some phishing emails contain an invoice or a fake payment-related document, trying to make the user download it. In addition, attackers provide instructions to enable macros. If the user complies, malicious macros will download Hancitor or it will be dropped from the maldoc.

In some malspam campaigns, Hancitor was delivered to victims with .RTF maldocs which used an exploit to run the PowerShell command which downloaded the loader to the computer.

How to detect Hancitor using ANY.RUN?

Analysts can take a look at what modules malware uses. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In the "Advanced details of process" window switch to the "Registry changes" tab and take a closer look.

modules loaded by hancitor Figure 3: Modules loaded by Hancitor

Conclusion

Despite its simplicity and vulnerability to even simple countermeasures, Hancitor Trojan somehow remains to be an active malware that continues to target it is limited demographic, evidently with a good success rate the same as Zloader. The authors of Hancitor are extremely active and regularly come up with new iterations of this loader.

Researchers can take advantage of malware hunting services such as ANY.RUN to take malware samples apart and perform the in-depthHancitor analysis.

IOCs

IP addresses
35.205.61.67
23.202.231.167
213.186.33.5
23.202.231.167
75.2.18.233
213.186.33.4
213.186.33.2
92.53.96.150
91.227.68.251
192.254.234.16
151.80.13.34
194.147.115.74
185.76.64.161
202.124.241.203
194.67.71.97
185.117.155.106
43.255.154.47
91.224.22.15
194.67.71.130
194.67.71.155
Hashes
e2f9f48c245176b8e0bee177684242270573a731137a2efcca3d347975e0bf67
0f511695320e2f7d57747159a84fe9ae7ae558df8e46117e8196db78c653c75b
d691140074010caf32b84d1fb12285108b0086a6fb94c441979cde8ab653b58d
cc0ad3394c73f7f638411ab47f4e002a6320a7074f2a540f4a58d76a285bb936
5b0ef982ada2cab733e409b050c472ea4c8eb3c6950633828c1570747e81ead8
584a53f8eb80dd71a81e908ab5e88fc3548fa97553ec40b05447dbb7b1bba4da
cd78243e2a4e94cd61aa95edfb4708ceeed5a3ed50ee9b81c57d0935908eb23e
945901560be5d6517c613e69058d6a56cad0b49b124a54c5bf5b4020181894bb
d16f1d82ace24ed81113f0ef315e96a2e4d8a28f848e33f59907078b9dd670a9
16e9388cc66a4e3788be226cffcf16c4440e1b4a14a062099e6cd47f55d88e82
1b01a65467e1ae3fc6c93c5ebf3ae80742943448142cab38258c1a37bbc9b709
e205b987b1faa34dc3457c76299779f5b1fe604a276cf578fc5642e708be5f12
19ec906a62b8911830cd92900c308bc443fafc3e5d4042cd2a2e0707114f187e
dfd5d7645d4e91fd65f8d139f4b3ee102027aad6f121608eb58135ed1d53355f
fb522fdffa3c2e28bea6a26c4fcf6d02bcc79f47b8cba50575d979c599bba108
3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6
6f1fdca97982d547dd976bca985e117bb47ddbacf487f3ddddc61a65872cbff6
d77e32680b9003f7bb7532ca34232dd9f995f869ab550ab72d10bee37593c244
8161ce020a9fa0bdb8c97efd860456dca4587f838f4a712f87adafc760d0d3fa
cca24cf66321e5b2f63bb52b5183e9cc437bf1b59d5f34043307dbd3ab02ae62
Domains
fuyt.org
tzgl.org
kotob.top
wrrst.top
tbpws.top
securebiz.org
www.ahmed-mohammed.online
micrwa.link
htagzdownload.pw
saumottam.ru
www.llgyl.com
apogeautomation.lk
ypfblog2021.asia
ypfblog2021.asia
www.shared-info.ml
www.primaclasseempire.com
nadser.ru
wwwcambridgebayhotel.innsnorth.com
livebuisnessportal.ml
www.kreativevisibility.net

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More