win.hancitor (Back to overview)

Hancitor

aka: Chanitor
URLhaus    

There is no description at this point.

References
https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear
https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/
http://www.morphick.com/resources/lab-blog/closer-look-hancitor
https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader
https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/
https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html
https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/
https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html
https://www.uperesia.com/hancitor-packer-demystified
https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/
https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak
https://boozallenmts.com/resources/news/closer-look-hancitor
https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/
Yara Rules
[TLP:WHITE] win_hancitor_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_hancitor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 6824040000 6a00 6a00 6a00 }
            // n = 4, score = 700
            //   6824040000           | push                0x424
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_1 = { e8???????? 83c404 837d1001 75?? 6a00 }
            // n = 5, score = 700
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   837d1001             | cmp                 dword ptr [ebp + 0x10], 1
            //   75??                 |                     
            //   6a00                 | push                0

        $sequence_2 = { 6a00 6824040000 6a00 6a00 }
            // n = 4, score = 700
            //   6a00                 | push                0
            //   6824040000           | push                0x424
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_3 = { 75?? 6800040000 e8???????? 83c404 a3???????? }
            // n = 5, score = 700
            //   75??                 |                     
            //   6800040000           | push                0x400
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   a3????????           |                     

        $sequence_4 = { 6a00 6824040000 6a00 6a00 6a00 }
            // n = 5, score = 700
            //   6a00                 | push                0
            //   6824040000           | push                0x424
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_5 = { e8???????? 83c404 837d1001 75?? 6a00 6a00 }
            // n = 6, score = 700
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   837d1001             | cmp                 dword ptr [ebp + 0x10], 1
            //   75??                 |                     
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_6 = { 6a00 6a00 6824040000 6a00 6a00 }
            // n = 5, score = 700
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6824040000           | push                0x424
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_7 = { 83c404 837d1001 75?? 6a00 6a00 }
            // n = 5, score = 700
            //   83c404               | add                 esp, 4
            //   837d1001             | cmp                 dword ptr [ebp + 0x10], 1
            //   75??                 |                     
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_8 = { 33c0 eb?? 6a00 6a04 8d4510 50 }
            // n = 6, score = 500
            //   33c0                 | xor                 eax, eax
            //   eb??                 |                     
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax

        $sequence_9 = { 85c0 75?? 33c0 eb?? 6a00 6a04 8d4510 }
            // n = 7, score = 500
            //   85c0                 | test                eax, eax
            //   75??                 |                     
            //   33c0                 | xor                 eax, eax
            //   eb??                 |                     
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   8d4510               | lea                 eax, [ebp + 0x10]

        $sequence_10 = { 75?? 33c0 eb?? 6a00 6a04 8d4510 }
            // n = 6, score = 500
            //   75??                 |                     
            //   33c0                 | xor                 eax, eax
            //   eb??                 |                     
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   8d4510               | lea                 eax, [ebp + 0x10]

        $sequence_11 = { 33c0 eb?? 6a00 6a04 8d4510 }
            // n = 5, score = 500
            //   33c0                 | xor                 eax, eax
            //   eb??                 |                     
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   8d4510               | lea                 eax, [ebp + 0x10]

        $sequence_12 = { 75?? 33c0 eb?? 6a00 6a04 8d4510 50 }
            // n = 7, score = 500
            //   75??                 |                     
            //   33c0                 | xor                 eax, eax
            //   eb??                 |                     
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax

        $sequence_13 = { eb?? 6a00 6a04 8d4510 }
            // n = 4, score = 500
            //   eb??                 |                     
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   8d4510               | lea                 eax, [ebp + 0x10]

        $sequence_14 = { eb?? 6a00 6a04 8d4510 50 }
            // n = 5, score = 500
            //   eb??                 |                     
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax

        $sequence_15 = { 8b4134 53 50 ff7508 8945fc }
            // n = 5, score = 400
            //   8b4134               | mov                 eax, dword ptr [ecx + 0x34]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_16 = { eb?? 833d?????????? 74?? 8b45e4 0345c0 8945e4 }
            // n = 6, score = 100
            //   eb??                 |                     
            //   833d??????????       |                     
            //   74??                 |                     
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   0345c0               | add                 eax, dword ptr [ebp - 0x40]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_17 = { 40 8945d0 8b45c0 83c008 8945c0 8b45b8 }
            // n = 6, score = 100
            //   40                   | inc                 eax
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   83c008               | add                 eax, 8
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]

        $sequence_18 = { a3???????? a1???????? 0345cc a3???????? 817df8b07d0900 0f8????????? }
            // n = 6, score = 100
            //   a3????????           |                     
            //   a1????????           |                     
            //   0345cc               | add                 eax, dword ptr [ebp - 0x34]
            //   a3????????           |                     
            //   817df8b07d0900       | cmp                 dword ptr [ebp - 8], 0x97db0
            //   0f8?????????         |                     

        $sequence_19 = { 83c008 8945c0 a1???????? 83c044 a3???????? 8b45a0 05c8d45566 }
            // n = 7, score = 100
            //   83c008               | add                 eax, 8
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   a1????????           |                     
            //   83c044               | add                 eax, 0x44
            //   a3????????           |                     
            //   8b45a0               | mov                 eax, dword ptr [ebp - 0x60]
            //   05c8d45566           | add                 eax, 0x6655d4c8

        $sequence_20 = { 8945c0 8b45b8 48 8945b8 }
            // n = 4, score = 100
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   48                   | dec                 eax
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax

        $sequence_21 = { 833d?????????? 74?? 8b45e4 0345c0 8945e4 }
            // n = 5, score = 100
            //   833d??????????       |                     
            //   74??                 |                     
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   0345c0               | add                 eax, dword ptr [ebp - 0x40]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_22 = { 83c044 a3???????? 8b45b4 83e803 8945b4 }
            // n = 5, score = 100
            //   83c044               | add                 eax, 0x44
            //   a3????????           |                     
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   83e803               | sub                 eax, 3
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax

        $sequence_23 = { 0000 cdf4 ba7925d2c6 08cc }
            // n = 4, score = 100
            //   0000                 | add                 byte ptr [eax], al
            //   cdf4                 | int                 0xf4
            //   ba7925d2c6           | mov                 edx, 0xc6d22579
            //   08cc                 | or                  ah, cl

    condition:
        7 of them
}
Download all Yara Rules