Hancitor

34
Global rank
43
Month rank
39
Week rank
24306
IOCs

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Loader
Type
Unknown
Origin
1 January, 2014
First seen
28 May, 2023
Last seen
Also known as
Tordal
Chanitor

How to analyze Hancitor with ANY.RUN

Loader
Type
Unknown
Origin
1 January, 2014
First seen
28 May, 2023
Last seen

IOCs

IP addresses
213.186.33.5
35.205.61.67
23.202.231.167
75.2.18.233
213.186.33.2
213.186.33.4
212.58.3.66
68.183.232.255
202.124.241.203
192.254.233.200
98.142.102.90
91.218.228.26
2.56.10.123
194.67.71.165
74.208.236.239
51.254.187.177
194.67.71.83
23.202.231.167
43.255.154.47
92.53.96.150
Hashes
995cbbb422634d497d65e12454cd5832cf1b4422189d9ec06efa88ed56891cda
d16f1d82ace24ed81113f0ef315e96a2e4d8a28f848e33f59907078b9dd670a9
cd78243e2a4e94cd61aa95edfb4708ceeed5a3ed50ee9b81c57d0935908eb23e
feba398a73a373a2b7e42b6acebb32c153e0fa59495753709c32b6ca78fd03ee
1199b24d407ccdddf83fafaf8d63e971edaafded99214bee6b2ad4906729e4d7
468200d4d207a7cc1df245b9670fcf9e3c491dd344643cd7edcf8a82f2cde214
c7b50a001220ed2eb9b2a720e232a141fe3c2580f2554223502bc5d6611a5a80
81ebc53905826f9edb4960d3a678196038f5be2f0c145468f8391232ed6793c6
83baef2481d651c97f8e583681a3a2b36be54b9876c845c24bb434cf0fc8a01e
2c6acafd23370e2c8cb549120034b40aea835a382e0d8917801e802507a8dd6d
a96180fd4401b1d517cb13e54be6e3fa59b236fe48c5bd61c4e954e53074c642
5cba28ccdc33258e580209009510934c235d177692cc1330d896e2fcab0d075b
14a7624f2235da4073319e49f18f5097d2aebe4e4260852e7f7a31171842b27c
256ed5586c8d5d183ee32ab07d579f51ebce48eb6626fe22b6e66164c73eae37
b0a6576e930a3a7c469537e9e229086b1c3b95b24fc5b0e9e474157016be1b59
d1b72c6ca65fa3010fc81db30cc1d52142d60bc4069bb7fe0294279b27b97fbb
c31b5f9642b5152251aaa8150e814d789fe790968ceb59126511d0a4989946e5
0faba459f37dd11ad44631f644062421a9efed20b511279c9adfd0dc4729c0f5
67f3865b714b0d62d96899311b5c1137f194e9bc7599ab21d565663068b91260
cb0b6a174a243a3d6de602abbc7f2cfc04f924fff66132d15e823bd00a0a9c54
Domains
majul.com
qxq.ddns.net
vcctggqm3t.dattolocal.net
indocin.shop
lingaly.pl
jumpstart.store
www.simpleclick.us
one00centier.info
gov-id.link
atofedpay.info
centierfix.info
nexo-lo.net
nexo.services
www.yutukits.buzz
digital-hall.online
websmail.managements4.shop
ritstraveapt.buzz
webmails.literhost.com
gronlundsplat.xyz
kesslecommon.buzz
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5381
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is Hancitor malware?

Hancitor, sometimes called Tordal and Chanitor is a loader designed to install other malware on the victim’s PC – most often it’s either Pony, Vawtrak, or DELoader. The malware has been around since 2014 and it is distributed to other users as a service by the original creators via malspam.

This malware can’t be considered dangerous since even Microsoft's built-in antivirus Windows Defender can detect it. On top of that, being distributed in malspam campaigns, in a lot of cases emails don’t even reach their targets, being intercepted by spam filters. In essence, the only people truly in danger of getting infected by Hancitor, are those who still utilize older Windows versions like Windows seven or earlier and who either don’t have or disabled their antivirus software. Curiously, despite such a limited “target audience”, Hancitor creators continue to update this malware and it is still very active to this day.

General description of the Hancitor Trojan

Creators of Hancitor provide their loader as a service to other criminals, helping to install various malware on the target PCs. The people behind Hancitor are extremely active and organized. Some researchers suspect that they work full business weeks since the surge of Hancitor attacks usually takes place on business days and falls off on the weekends, which suggests that the hackers responsible have a work structure and a schedule.

Despite that, Hancitor loader has not changed very much since 2016 and to this day relies on very simple execution and evasion techniques which makes its detection and prevention relatively easy, especially for corporate targets with adequate levels of cybersecurity.

According to the Hancitor analysis, the 2016 version of the malware had 66 functions and had the size of 20 480 bytes while the 2018 version is made up of 51 functions that amount to the size of 20 992 bytes. One of the main differences between the versions is the lack of connectivity check functionality in the 2018 iteration. As such, the older iteration of Hancitor would try to connect to Google.com during execution to check for connections whereas the never iteration fully omits this step. The newer version also makes use of the RC4 encryption and contains some updated commands.

Not unlike other malware, Hancitor Trojan uses several attack vectors to maximize the success rate. Hancitor creators have exploited uncommon API abuse and PowerShell methods among others to ensure the successful infection.

Over the last two years, over 80 variations of Hancitor were detected in the wild. Usually, a new variation would be created simply to define a new variable for a different campaign, while at other times the basic functions of the loader were completely changed and rewritten. However, such instances were rather rare, and highly rewritten samples didn’t stick around for long. Some researchers believe that in such instances the malware authors were testing different approaches and keeping track of the infection rate to determine what changes should remain and which innovations should go.

Hancitor analysis

A video recorded on the ANY.RUN malware hunting service displays the execution process for Hancitor analysis.

process graph hancitor execution

Figure 1: A visual graph of Hancitor execution processes generated by ANY.RUN

text report of the hancitor malware analysis

Figure 2: A customizable text report shown here was generated in the ANY.RUN malware hunting service

Hancitor malware execution process

Because of its main purpose, the execution of Hancitor doesn't look that impressive. Since the most common vector of attack to infect users' devices is malicious spam campaigns, Hancitor mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware either use the lure to trick the victim into enabling macros or uses an exploit. After that Hancitor will be either downloaded from the C2 server or dropped from an Office file. The next step is its execution during which the malware downloads the main payload, usually a trojan such as Pony, Vawtrak, or DELoader.

Distribution of Hancitor

Based on the Hancitor analysis, the trojan is usually distributed in malspam campaigns as a maldoc, malicious Microsoft Office file attachment. However, since most organizations started improving their cybersecurity measures some campaigns distributing Hancitor contain a link pointing at the website from where this loader is downloaded.

In the case of distribution using .DOC attachments, the user must first download the file and then activate macros, ignoring multiple security warnings. Malware authors use lures to trick users into doing that. Some phishing emails contain an invoice or a fake payment-related document, trying to make the user download it. In addition, attackers provide instructions to enable macros. If the user complies, malicious macros will download Hancitor or it will be dropped from the maldoc.

In some malspam campaigns, Hancitor was delivered to victims with .RTF maldocs which used an exploit to run the PowerShell command which downloaded the loader to the computer.

How to detect Hancitor using ANY.RUN?

Analysts can take a look at what modules malware uses. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In the "Advanced details of process" window switch to the "Modules" tab and take a closer look.

modules loaded by hancitor Figure 3: Modules loaded by Hancitor

Conclusion

Despite its simplicity and vulnerability to even simple countermeasures, Hancitor Trojan somehow remains to be an active malware that continues to target it is limited demographic, evidently with a good success rate the same as Zloader. The authors of Hancitor are extremely active and regularly come up with new iterations of this loader.

Researchers can take advantage of malware hunting services such as ANY.RUN to take malware samples apart and perform the in-depthHancitor analysis.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy