Hancitor (Malware Family)

Hancitor

aka: Chanitor

VTCollection URLhaus

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.

References

2022-08-17 ⋅ Group-IB ⋅ Victor Okorokov
Switching side jobs Links between ATMZOW JS-sniffer and Hancitor
Hancitor

2022-02-12 ⋅ muha2xmad ⋅ Muhammad Hasan Ali
Full Hancitor malware analysis
Hancitor

2022-01-08 ⋅ muha2xmad ⋅ Muhammad Hasan Ali
Unpacking Hancitor malware
Hancitor

2021-12-31 ⋅ 0ffset Blog ⋅ Chuong Dong
HANCITOR: Analysing The Main Loader
Hancitor

2021-12-28 ⋅ Medium Crovax ⋅ Crovax
Extracting Hancitor’s Configuration with Ghidra part 1
Hancitor

2021-11-23 ⋅ 0ffset Blog ⋅ Chuong Dong
HANCITOR: Analysing The Malicious Document
Hancitor

2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o
From Zero to Domain Admin
Cobalt Strike Hancitor

2021-10-04 ⋅ Github (OALabs) ⋅ OALabs
Reverse engineered the Hancitor DLL and built a static config extractor
Hancitor

2021-10-04 ⋅ pid4.io ⋅ James Hovious
How to Write a Hancitor Extractor in Go
Hancitor

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-09 ⋅ Cyber-Anubis ⋅ Nidal Fikri
Hancitor Loader | RE & Config Extraction
Hancitor

2021-08-05 ⋅ Group-IB ⋅ Nikita Rostovcev, Viktor Okorokov
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot

2021-07-20 ⋅ VMRay ⋅ Mateusz Lukaszewski
Hancitor’s Multi-Step Delivery Process
Hancitor

2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor

2021-07-08 ⋅ McAfee ⋅ McAfee Labs
Hancitor Making Use of Cookies to Prevent URL Scraping
Hancitor

2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor

2021-06-21 ⋅ Medium elis531989 ⋅ Eli Salem
Dissecting and automating Hancitor’s config extraction
Hancitor

2021-06-17 ⋅ Binary Defense ⋅ Brandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-07 ⋅ Group-IB ⋅ Oleg Skulkin, Semyon Rogachev
Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor

2021-04-16 ⋅ InQuest ⋅ Dmitry Melikov
Unearthing Hancitor Infrastructure
Hancitor

2021-04-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Traffic from Hancitor Infections
Hancitor

2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor Moskalvzapoe

2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor

2021-02-01 ⋅ Silent Push ⋅ Martijn Grooten
Pivoting: finding malware domains without seeing malicious activity
Hancitor

2021-01-13 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Hancitor activity resumes after a hoilday break
Hancitor

2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Moskalvzapoe

2019-11-01 ⋅ Dodge This Security ⋅ Dodge This Security
Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication
Hancitor

2019-05-01 ⋅ Felix Weyne
Hancitor's Packer Damystified
Hancitor

2018-11-05 ⋅ Vitali Kremez
Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression
Hancitor

2018-02-27 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White
Dissecting Hancitor’s Latest 2018 Packer
Hancitor

2018-02-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan, Vicky Ray
Compromised Servers & Fraud Accounts: Recent Hancitor Attacks
Hancitor

2016-09-23 ⋅ FireEye ⋅ Ankit Anubhav, Dileep Kumar Jallepalli
Hancitor (AKA Chanitor) observed using multiple attack approaches
Hancitor

2016-08-22 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White
VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick
Hancitor

2016-08-19 ⋅ Minerva Labs ⋅ Minerva Labs Research Team
New Hancitor Malware: Pimp my Downloaded
Hancitor

2016-07-12 ⋅ Fidelis Cybersecurity ⋅ Threat Research Team
Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter
Hancitor Vawtrak

2016-05-12 ⋅ Proofpoint ⋅ Axel F, Matthew Mesa
Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck
Hancitor Ruckguv

2015-01-09 ⋅ Zscaler ⋅ Zscaler
Chanitor Downloader Actively Installing Vawtrak
Hancitor

Yara Rules

[TLP:WHITE] win_hancitor_auto (20260504 | Detects win.hancitor.)

rule win_hancitor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.hancitor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a00 6824040000 6a00 }
            // n = 4, score = 1000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6824040000           | push                0x424
            //   6a00                 | push                0

        $sequence_1 = { 6824040000 6a00 6a00 6a00 }
            // n = 4, score = 1000
            //   6824040000           | push                0x424
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_2 = { 6800010000 6a40 68???????? e8???????? 83c40c }
            // n = 5, score = 900
            //   6800010000           | push                0x100
            //   6a40                 | push                0x40
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { 750d e8???????? 83c010 a3???????? }
            // n = 4, score = 800
            //   750d                 | jne                 0xf
            //   e8????????           |                     
            //   83c010               | add                 eax, 0x10
            //   a3????????           |                     

        $sequence_4 = { 6a20 68???????? 68???????? e8???????? 83c410 83f801 }
            // n = 6, score = 700
            //   6a20                 | push                0x20
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   83f801               | cmp                 eax, 1

        $sequence_5 = { 55 8bec 81ec58010000 6a44 }
            // n = 4, score = 700
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec58010000         | sub                 esp, 0x158
            //   6a44                 | push                0x44

        $sequence_6 = { 8945f8 8b4df8 894df4 6a00 6a01 8b5508 52 }
            // n = 7, score = 600
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx

        $sequence_7 = { 7507 33c0 e9???????? 837de800 0f849a000000 8b4df4 8b5104 }
            // n = 7, score = 600
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   0f849a000000         | je                  0xa0
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]

        $sequence_8 = { 8bec 8b4d08 6a00 6a01 51 }
            // n = 5, score = 600
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   51                   | push                ecx

        $sequence_9 = { 66894dfc 0fb755fc 83fa03 752b 8b45f4 8b4d08 0308 }
            // n = 7, score = 600
            //   66894dfc             | mov                 word ptr [ebp - 4], cx
            //   0fb755fc             | movzx               edx, word ptr [ebp - 4]
            //   83fa03               | cmp                 edx, 3
            //   752b                 | jne                 0x2d
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   0308                 | add                 ecx, dword ptr [eax]

        $sequence_10 = { 8b5950 8b4134 53 50 ff7508 }
            // n = 5, score = 600
            //   8b5950               | mov                 ebx, dword ptr [ecx + 0x50]
            //   8b4134               | mov                 eax, dword ptr [ecx + 0x34]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_11 = { 3bc8 72f7 c6043000 40 5e }
            // n = 5, score = 600
            //   3bc8                 | cmp                 ecx, eax
            //   72f7                 | jb                  0xfffffff9
            //   c6043000             | mov                 byte ptr [eax + esi], 0
            //   40                   | inc                 eax
            //   5e                   | pop                 esi

        $sequence_12 = { 8bd8 83fbff 7509 6a00 }
            // n = 4, score = 600
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   7509                 | jne                 0xb
            //   6a00                 | push                0

        $sequence_13 = { 8bec 83ec2c 8b4508 8945e4 8b4de4 8b5508 03513c }
            // n = 7, score = 600
            //   8bec                 | mov                 ebp, esp
            //   83ec2c               | sub                 esp, 0x2c
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   03513c               | add                 edx, dword ptr [ecx + 0x3c]

        $sequence_14 = { 53 56 57 8b483c 33f6 03c8 6a40 }
            // n = 7, score = 600
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b483c               | mov                 ecx, dword ptr [eax + 0x3c]
            //   33f6                 | xor                 esi, esi
            //   03c8                 | add                 ecx, eax
            //   6a40                 | push                0x40

        $sequence_15 = { 33c0 eb7b 8b4508 0fbe08 83f97b 750b 8b5508 }
            // n = 7, score = 600
            //   33c0                 | xor                 eax, eax
            //   eb7b                 | jmp                 0x7d
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0fbe08               | movsx               ecx, byte ptr [eax]
            //   83f97b               | cmp                 ecx, 0x7b
            //   750b                 | jne                 0xd
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_16 = { 51 e8???????? 83c404 ebb1 }
            // n = 4, score = 600
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   ebb1                 | jmp                 0xffffffb3

        $sequence_17 = { 8b4dfc 85c0 7402 8908 8b5518 85d2 }
            // n = 6, score = 600
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   85d2                 | test                edx, edx

        $sequence_18 = { 8b413c 8b440828 03c1 ffd0 33c0 }
            // n = 5, score = 600
            //   8b413c               | mov                 eax, dword ptr [ecx + 0x3c]
            //   8b440828             | mov                 eax, dword ptr [eax + ecx + 0x28]
            //   03c1                 | add                 eax, ecx
            //   ffd0                 | call                eax
            //   33c0                 | xor                 eax, eax

        $sequence_19 = { a3???????? ebc5 8365d400 c745d0049d4000 a1???????? 8945d8 }
            // n = 6, score = 100
            //   a3????????           |                     
            //   ebc5                 | jmp                 0xffffffc7
            //   8365d400             | and                 dword ptr [ebp - 0x2c], 0
            //   c745d0049d4000       | mov                 dword ptr [ebp - 0x30], 0x409d04
            //   a1????????           |                     
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax

        $sequence_20 = { 8b69e8 1540003708 088f65497d4d 89ec 7973 }
            // n = 5, score = 100
            //   8b69e8               | mov                 ebp, dword ptr [ecx - 0x18]
            //   1540003708           | adc                 eax, 0x8370040
            //   088f65497d4d         | or                  byte ptr [edi + 0x4d7d4965], cl
            //   89ec                 | mov                 esp, ebp
            //   7973                 | jns                 0x75

        $sequence_21 = { 83c05b a3???????? a1???????? 0345cc }
            // n = 4, score = 100
            //   83c05b               | add                 eax, 0x5b
            //   a3????????           |                     
            //   a1????????           |                     
            //   0345cc               | add                 eax, dword ptr [ebp - 0x34]

        $sequence_22 = { c705????????053f0f00 c745c007000000 c745dcc8954000 a1???????? 8945ec 8b45d8 2345e4 }
            // n = 7, score = 100
            //   c705????????053f0f00     |     
            //   c745c007000000       | mov                 dword ptr [ebp - 0x40], 7
            //   c745dcc8954000       | mov                 dword ptr [ebp - 0x24], 0x4095c8
            //   a1????????           |                     
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   2345e4               | and                 eax, dword ptr [ebp - 0x1c]

        $sequence_23 = { a3???????? b9382baa99 c7458ce4f25701 ff15???????? 894da0 a1???????? }
            // n = 6, score = 100
            //   a3????????           |                     
            //   b9382baa99           | mov                 ecx, 0x99aa2b38
            //   c7458ce4f25701       | mov                 dword ptr [ebp - 0x74], 0x157f2e4
            //   ff15????????         |                     
            //   894da0               | mov                 dword ptr [ebp - 0x60], ecx
            //   a1????????           |                     

        $sequence_24 = { 83c044 a3???????? 8b45b4 83e803 }
            // n = 4, score = 100
            //   83c044               | add                 eax, 0x44
            //   a3????????           |                     
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   83e803               | sub                 eax, 3

        $sequence_25 = { 8b45d8 2345e4 8945d8 c645f300 c645fc65 }
            // n = 5, score = 100
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   2345e4               | and                 eax, dword ptr [ebp - 0x1c]
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   c645f300             | mov                 byte ptr [ebp - 0xd], 0
            //   c645fc65             | mov                 byte ptr [ebp - 4], 0x65

        $sequence_26 = { a1???????? a3???????? b9382baa99 8d45fc 50 6a00 6a00 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   a3????????           |                     
            //   b9382baa99           | mov                 ecx, 0x99aa2b38
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 106496
}

Download all Yara Rules

Hancitor Propose Change

References

Yara Rules

Hancitor