SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hancitor (Back to overview)

Hancitor

aka: Chanitor
VTCollection     URLhaus    

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.

References
2022-08-17Group-IBVictor Okorokov
Switching side jobs Links between ATMZOW JS-sniffer and Hancitor
Hancitor
2022-02-12muha2xmadMuhammad Hasan Ali
Full Hancitor malware analysis
Hancitor
2022-01-08muha2xmadMuhammad Hasan Ali
Unpacking Hancitor malware
Hancitor
2021-12-310ffset BlogChuong Dong
HANCITOR: Analysing The Main Loader
Hancitor
2021-12-28Medium CrovaxCrovax
Extracting Hancitor’s Configuration with Ghidra part 1
Hancitor
2021-11-230ffset BlogChuong Dong
HANCITOR: Analysing The Malicious Document
Hancitor
2021-11-01The DFIR Report@iiamaleks, @samaritan_o
From Zero to Domain Admin
Cobalt Strike Hancitor
2021-10-04Github (OALabs)OALabs
Reverse engineered the Hancitor DLL and built a static config extractor
Hancitor
2021-10-04pid4.ioJames Hovious
How to Write a Hancitor Extractor in Go
Hancitor
2021-09-29Malware Traffic AnalysisBrad Duncan
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-29Malware Traffic AnalysisBrad Duncan
Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-09Cyber-AnubisNidal Fikri
Hancitor Loader | RE & Config Extraction
Hancitor
2021-08-05Group-IBNikita Rostovcev, Viktor Okorokov
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-07-20VMRayMateusz Lukaszewski
Hancitor’s Multi-Step Delivery Process
Hancitor
2021-07-09InfoSec Handlers Diary BlogBrad Duncan
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor
2021-07-08McAfeeMcAfee Labs
Hancitor Making Use of Cookies to Prevent URL Scraping
Hancitor
2021-06-28The DFIR ReportThe DFIR Report
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor
2021-06-21Medium elis531989Eli Salem
Dissecting and automating Hancitor’s config extraction
Hancitor
2021-06-17Binary DefenseBrandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-05-19Intel 471Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-04-16InQuestDmitry Melikov
Unearthing Hancitor Infrastructure
Hancitor
2021-04-07Palo Alto Networks Unit 42Brad Duncan
Wireshark Tutorial: Examining Traffic from Hancitor Infections
Hancitor
2021-04-01Palo Alto Networks Unit 42Brad Duncan
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor Moskalvzapoe
2021-02-11Twitter (@TheDFIRReport)The DFIR Report
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor
2021-02-01Silent PushMartijn Grooten
Pivoting: finding malware domains without seeing malicious activity
Hancitor
2021-01-13InfoSec Handlers Diary BlogBrad Duncan
Hancitor activity resumes after a hoilday break
Hancitor
2021-01-10Medium walmartglobaltechJason Reaves
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Moskalvzapoe
2019-11-01Dodge This SecurityDodge This Security
Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication
Hancitor
2019-05-01Felix Weyne
Hancitor's Packer Damystified
Hancitor
2018-11-05Vitali Kremez
Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression
Hancitor
2018-02-27Palo Alto Networks Unit 42Jeff White
Dissecting Hancitor’s Latest 2018 Packer
Hancitor
2018-02-07Palo Alto Networks Unit 42Brad Duncan, Vicky Ray
Compromised Servers & Fraud Accounts: Recent Hancitor Attacks
Hancitor
2016-09-23FireEyeAnkit Anubhav, Dileep Kumar Jallepalli
Hancitor (AKA Chanitor) observed using multiple attack approaches
Hancitor
2016-08-22Palo Alto Networks Unit 42Jeff White
VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick
Hancitor
2016-08-19Minerva LabsMinerva Labs Research Team
New Hancitor Malware: Pimp my Downloaded
Hancitor
2016-07-12Fidelis CybersecurityThreat Research Team
Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter
Hancitor Vawtrak
2016-05-12ProofpointAxel F, Matthew Mesa
Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck
Hancitor Ruckguv
2015-01-09ZscalerZscaler
Chanitor Downloader Actively Installing Vawtrak
Hancitor
Yara Rules
[TLP:WHITE] win_hancitor_auto (20230808 | Detects win.hancitor.)
rule win_hancitor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.hancitor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6824040000 6a00 6a00 6a00 }
            // n = 5, score = 1000
            //   6a00                 | push                0
            //   6824040000           | push                0x424
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_1 = { 6800010000 6a40 68???????? e8???????? }
            // n = 4, score = 900
            //   6800010000           | push                0x100
            //   6a40                 | push                0x40
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_2 = { 8bec a1???????? 85c0 740c ff7508 6a00 50 }
            // n = 7, score = 600
            //   8bec                 | mov                 ebp, esp
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   740c                 | je                  0xe
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 8bec 8b4d08 6a00 6a01 51 }
            // n = 5, score = 600
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   51                   | push                ecx

        $sequence_4 = { 68???????? ff7508 c605????????00 ff15???????? }
            // n = 4, score = 600
            //   68????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   c605????????00       |                     
            //   ff15????????         |                     

        $sequence_5 = { a3???????? 85c0 7502 5d c3 ff7508 6a00 }
            // n = 7, score = 600
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   7502                 | jne                 4
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0

        $sequence_6 = { 8b4df4 51 8b55f8 52 8b4510 }
            // n = 5, score = 600
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   52                   | push                edx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_7 = { 8b4d08 0fbe11 83fa7d 750e }
            // n = 4, score = 600
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   0fbe11               | movsx               edx, byte ptr [ecx]
            //   83fa7d               | cmp                 edx, 0x7d
            //   750e                 | jne                 0x10

        $sequence_8 = { 8bd8 83fbff 7509 6a00 57 }
            // n = 5, score = 600
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   7509                 | jne                 0xb
            //   6a00                 | push                0
            //   57                   | push                edi

        $sequence_9 = { 6a00 6a01 8b5508 52 ff55f4 33c0 8be5 }
            // n = 7, score = 600
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   ff55f4               | call                dword ptr [ebp - 0xc]
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp

        $sequence_10 = { 8b4df4 8b5104 83ea08 d1ea 8955d4 }
            // n = 5, score = 600
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   83ea08               | sub                 edx, 8
            //   d1ea                 | shr                 edx, 1
            //   8955d4               | mov                 dword ptr [ebp - 0x2c], edx

        $sequence_11 = { c60600 ff15???????? 8b3d???????? 85c0 740a }
            // n = 5, score = 600
            //   c60600               | mov                 byte ptr [esi], 0
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc

        $sequence_12 = { 8b4dec 8b55f4 035128 8b4518 8910 eb02 }
            // n = 6, score = 600
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   035128               | add                 edx, dword ptr [ecx + 0x28]
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   8910                 | mov                 dword ptr [eax], edx
            //   eb02                 | jmp                 4

        $sequence_13 = { 8945f8 8b4df8 894df4 6a00 6a01 }
            // n = 5, score = 600
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_14 = { 7411 8d85f4fdffff 50 8b4d08 51 }
            // n = 5, score = 600
            //   7411                 | je                  0x13
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx

        $sequence_15 = { 8b4d08 53 56 57 8b413c }
            // n = 5, score = 600
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b413c               | mov                 eax, dword ptr [ecx + 0x3c]

        $sequence_16 = { 8945cc 8365e400 c745bc0a000000 eb07 8b45bc }
            // n = 5, score = 100
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   c745bc0a000000       | mov                 dword ptr [ebp - 0x44], 0xa
            //   eb07                 | jmp                 9
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]

        $sequence_17 = { c3 4b fd 008d4556f400 08640f08 ed fec3 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   4b                   | dec                 ebx
            //   fd                   | std                 
            //   008d4556f400         | add                 byte ptr [ebp + 0xf45645], cl
            //   08640f08             | or                  byte ptr [edi + ecx + 8], ah
            //   ed                   | in                  eax, dx
            //   fec3                 | inc                 bl

        $sequence_18 = { a1???????? 8945b4 a1???????? 83c044 a3???????? 8b45b4 83e803 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   a1????????           |                     
            //   83c044               | add                 eax, 0x44
            //   a3????????           |                     
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   83e803               | sub                 eax, 3

        $sequence_19 = { b9382baa99 c7458ce4f25701 ff15???????? 894da0 a1???????? }
            // n = 5, score = 100
            //   b9382baa99           | mov                 ecx, 0x99aa2b38
            //   c7458ce4f25701       | mov                 dword ptr [ebp - 0x74], 0x157f2e4
            //   ff15????????         |                     
            //   894da0               | mov                 dword ptr [ebp - 0x60], ecx
            //   a1????????           |                     

        $sequence_20 = { 6a00 6a00 ff15???????? c745a064000000 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   c745a064000000       | mov                 dword ptr [ebp - 0x60], 0x64

        $sequence_21 = { c645f300 c645fc65 c645fd00 c745f8dc030000 8365b800 }
            // n = 5, score = 100
            //   c645f300             | mov                 byte ptr [ebp - 0xd], 0
            //   c645fc65             | mov                 byte ptr [ebp - 4], 0x65
            //   c645fd00             | mov                 byte ptr [ebp - 3], 0
            //   c745f8dc030000       | mov                 dword ptr [ebp - 8], 0x3dc
            //   8365b800             | and                 dword ptr [ebp - 0x48], 0

        $sequence_22 = { 8945dc e9???????? b9382baa99 c745f464000000 }
            // n = 4, score = 100
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   e9????????           |                     
            //   b9382baa99           | mov                 ecx, 0x99aa2b38
            //   c745f464000000       | mov                 dword ptr [ebp - 0xc], 0x64

        $sequence_23 = { 0f8482000000 c645f301 0fb645f3 85c0 7476 a1???????? 83c044 }
            // n = 7, score = 100
            //   0f8482000000         | je                  0x88
            //   c645f301             | mov                 byte ptr [ebp - 0xd], 1
            //   0fb645f3             | movzx               eax, byte ptr [ebp - 0xd]
            //   85c0                 | test                eax, eax
            //   7476                 | je                  0x78
            //   a1????????           |                     
            //   83c044               | add                 eax, 0x44

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules