Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
57
Global rank
121 infographic chevron month
Month rank
102 infographic chevron week
Week rank
0
IOCs

Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.

Loader
Type
Unknown
Origin
1 January, 2014
First seen
3 January, 2025
Last seen
Also known as
Tordal
Chanitor

How to analyze Hancitor with ANY.RUN

Type
Unknown
Origin
1 January, 2014
First seen
3 January, 2025
Last seen

IOCs

IP addresses
213.186.33.2
74.208.236.239
43.255.154.47
77.246.147.110
109.71.254.182
194.135.33.165
154.216.78.126
154.216.69.43
154.216.84.200
154.216.78.119
154.216.69.57
154.216.85.214
154.216.69.34
154.216.82.18
154.216.84.211
154.216.82.27
154.216.84.218
154.216.78.108
154.216.82.0
154.216.85.196
Domains
belcineloweek.ru
thistrespor.ru
hadevatjulps.com
sibiquan.ru
mymooney.ru
witakilateg.com
laadlifashionworld.com
mamaboss.io
rindicatle.ru
diverbsez.ru
hersdintfortho.ru
wheredidmarkmakehismoney.com
webdev-wazoomstudio.online
nepbag.com
thegbars.net
thougolograrly.ru
ulaginceter.com
cenovia.com
thatimine.ru
throsesspeotte.com
URLs
http://gintlyba.ru/8/forum.php
http://stralonz.ru/8/forum.php
http://newnucapi.com/8/forum.php
http://thowerteigime.com/8/forum.php
http://euvereginumet.ru/8/forum.php
http://rhopulforopme.ru/8/forum.php
http://lacsitgohed.ru/ls5/forum.php
http://tithaphersand.com/ls5/forum.php
http://midatotid.ru/ls5/forum.php
http://antialkinno.com/8/forum.php
http://thistrespor.ru/8/forum.php
http://knorshand.ru/8/forum.php
http://satursed.com/8/forum.php
http://sameastar.ru/8/forum.php
http://ludiesibut.ru/8/forum.php
http://hetenoaning.ru/ls5/forum.php
http://hartofhedtret.ru/ls5/forum.php
http://hitorsletna.com/ls5/forum.php
http://tontorrombut.com/ls5/forum.php
http://tedousenebi.com/ls5/forum.php
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is Hancitor malware?

Hancitor, sometimes called Tordal and Chanitor is a loader designed to install other malware on the victim’s PC – most often it’s either Pony, Vawtrak, or DELoader. The malware has been around since 2014 and it is distributed to other users as a service by the original creators via malspam.

This malware can’t be considered dangerous since even Microsoft's built-in antivirus Windows Defender can detect it. On top of that, being distributed in malspam campaigns, in a lot of cases emails don’t even reach their targets, being intercepted by spam filters. In essence, the only people truly in danger of getting infected by Hancitor, are those who still utilize older Windows versions like Windows seven or earlier and who either don’t have or disabled their antivirus software. Curiously, despite such a limited “target audience”, Hancitor creators continue to update this malware and it is still very active to this day.

General description of the Hancitor Trojan

Creators of Hancitor provide their loader as a service to other criminals, helping to install various malware on the target PCs. The people behind Hancitor are extremely active and organized. Some researchers suspect that they work full business weeks since the surge of Hancitor attacks usually takes place on business days and falls off on the weekends, which suggests that the hackers responsible have a work structure and a schedule.

Despite that, Hancitor loader has not changed very much since 2016 and to this day relies on very simple execution and evasion techniques which makes its detection and prevention relatively easy, especially for corporate targets with adequate levels of cybersecurity.

According to the Hancitor analysis, the 2016 version of the malware had 66 functions and had the size of 20 480 bytes while the 2018 version is made up of 51 functions that amount to the size of 20 992 bytes. One of the main differences between the versions is the lack of connectivity check functionality in the 2018 iteration. As such, the older iteration of Hancitor would try to connect to Google.com during execution to check for connections whereas the never iteration fully omits this step. The newer version also makes use of the RC4 encryption and contains some updated commands.

Not unlike other malware, Hancitor Trojan uses several attack vectors to maximize the success rate. Hancitor creators have exploited uncommon API abuse and PowerShell methods among others to ensure the successful infection.

Over the last two years, over 80 variations of Hancitor were detected in the wild. Usually, a new variation would be created simply to define a new variable for a different campaign, while at other times the basic functions of the loader were completely changed and rewritten. However, such instances were rather rare, and highly rewritten samples didn’t stick around for long. Some researchers believe that in such instances the malware authors were testing different approaches and keeping track of the infection rate to determine what changes should remain and which innovations should go.

Hancitor analysis

A video recorded on the ANY.RUN malware hunting service displays the execution process for Hancitor analysis.

process graph hancitor execution

Figure 1: A visual graph of Hancitor execution processes generated by ANY.RUN

text report of the hancitor malware analysis

Figure 2: A customizable text report shown here was generated in the ANY.RUN malware hunting service

Hancitor malware execution process

Because of its main purpose, the execution of Hancitor doesn't look that impressive. Since the most common vector of attack to infect users' devices is malicious spam campaigns, Hancitor mostly gets into devices with Microsoft Office files. Once the user downloads and opens the malicious file, the malware either use the lure to trick the victim into enabling macros or uses an exploit. After that Hancitor will be either downloaded from the C2 server or dropped from an Office file. The next step is its execution during which the malware downloads the main payload, usually a trojan such as Pony, Vawtrak, or DELoader.

Distribution of Hancitor

Based on the Hancitor analysis, the trojan is usually distributed in malspam campaigns as a maldoc, malicious Microsoft Office file attachment. However, since most organizations started improving their cybersecurity measures some campaigns distributing Hancitor contain a link pointing at the website from where this loader is downloaded.

In the case of distribution using .DOC attachments, the user must first download the file and then activate macros, ignoring multiple security warnings. Malware authors use lures to trick users into doing that. Some phishing emails contain an invoice or a fake payment-related document, trying to make the user download it. In addition, attackers provide instructions to enable macros. If the user complies, malicious macros will download Hancitor or it will be dropped from the maldoc.

In some malspam campaigns, Hancitor was delivered to victims with .RTF maldocs which used an exploit to run the PowerShell command which downloaded the loader to the computer.

How to detect Hancitor using ANY.RUN?

Analysts can take a look at what modules malware uses. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In the "Advanced details of process" window switch to the "Modules" tab and take a closer look.

modules loaded by hancitor Figure 3: Modules loaded by Hancitor

Conclusion

Despite its simplicity and vulnerability to even simple countermeasures, Hancitor Trojan somehow remains to be an active malware that continues to target it is limited demographic, evidently with a good success rate the same as Zloader. The authors of Hancitor are extremely active and regularly come up with new iterations of this loader.

Researchers can take advantage of malware hunting services such as ANY.RUN to take malware samples apart and perform the in-depthHancitor analysis.

HAVE A LOOK AT

Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More