SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hancitor (Back to overview)

Hancitor

aka: Chanitor
URLhaus    

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.

References
2021-01-13InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210113:hancitor:55f3ea5, author = {Brad Duncan}, title = {{Hancitor activity resumes after a hoilday break}}, date = {2021-01-13}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/}, language = {English}, urldate = {2021-01-21} } Hancitor activity resumes after a hoilday break
Hancitor
2021-01-10Medium walmartglobaltechJason Reaves
@online{reaves:20210110:man1:54a4162, author = {Jason Reaves}, title = {{MAN1, Moskal, Hancitor and a side of Ransomware}}, date = {2021-01-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618}, language = {English}, urldate = {2021-01-11} } MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware
2019-11-01Dodge This SecurityDodge This Security
@online{security:20191101:hancitor:1e78408, author = {Dodge This Security}, title = {{Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication}}, date = {2019-11-01}, organization = {Dodge This Security}, url = {https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/}, language = {English}, urldate = {2020-01-07} } Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication
Hancitor
2019-05Felix Weyne
@online{weyne:201905:hancitors:9fccb0b, author = {Felix Weyne}, title = {{Hancitor's Packer Damystified}}, date = {2019-05}, url = {https://www.uperesia.com/hancitor-packer-demystified}, language = {English}, urldate = {2020-01-07} } Hancitor's Packer Damystified
Hancitor
2018-11-05Vitali Kremez
@online{kremez:20181105:lets:aed7583, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression}}, date = {2018-11-05}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html}, language = {English}, urldate = {2020-01-07} } Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression
Hancitor
2018-02-27Palo Alto Networks Unit 42Jeff White
@online{white:20180227:dissecting:4a4c07e, author = {Jeff White}, title = {{Dissecting Hancitor’s Latest 2018 Packer}}, date = {2018-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/}, language = {English}, urldate = {2019-12-20} } Dissecting Hancitor’s Latest 2018 Packer
Hancitor
2018-02-07Palo Alto Networks Unit 42Vicky Ray, Brad Duncan
@online{ray:20180207:compromised:01adde2, author = {Vicky Ray and Brad Duncan}, title = {{Compromised Servers & Fraud Accounts: Recent Hancitor Attacks}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/}, language = {English}, urldate = {2019-12-20} } Compromised Servers & Fraud Accounts: Recent Hancitor Attacks
Hancitor
2016-09-23FireEyeAnkit Anubhav, Dileep Kumar Jallepalli
@online{anubhav:20160923:hancitor:220140e, author = {Ankit Anubhav and Dileep Kumar Jallepalli}, title = {{Hancitor (AKA Chanitor) observed using multiple attack approaches}}, date = {2016-09-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html}, language = {English}, urldate = {2019-12-20} } Hancitor (AKA Chanitor) observed using multiple attack approaches
Hancitor
2016-08-22Palo Alto Networks Unit 42Jeff White
@online{white:20160822:vb:7220081, author = {Jeff White}, title = {{VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick}}, date = {2016-08-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/}, language = {English}, urldate = {2019-12-20} } VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick
Hancitor
2016-08-19Minerva LabsMinerva Labs Research Team
@online{team:20160819:new:dead711, author = {Minerva Labs Research Team}, title = {{New Hancitor Malware: Pimp my Downloaded}}, date = {2016-08-19}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader}, language = {English}, urldate = {2019-10-15} } New Hancitor Malware: Pimp my Downloaded
Hancitor
2016-05-12ProofpointAxel F, Matthew Mesa
@online{f:20160512:hancitor:9c250c0, author = {Axel F and Matthew Mesa}, title = {{Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck}}, date = {2016-05-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear}, language = {English}, urldate = {2019-12-20} } Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck
Hancitor Ruckguv
2015-01-09ZscalerZscaler
@online{zscaler:20150109:chanitor:432f3d9, author = {Zscaler}, title = {{Chanitor Downloader Actively Installing Vawtrak}}, date = {2015-01-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak}, language = {English}, urldate = {2019-12-18} } Chanitor Downloader Actively Installing Vawtrak
Hancitor
Yara Rules
[TLP:WHITE] win_hancitor_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_hancitor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6824040000 6a00 6a00 6a00 }
            // n = 4, score = 700
            //   6824040000           | push                0x424
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_1 = { 6a00 6a00 6824040000 6a00 }
            // n = 4, score = 700
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6824040000           | push                0x424
            //   6a00                 | push                0

        $sequence_2 = { 68???????? 8d85dcfaffff 50 ff15???????? }
            // n = 4, score = 600
            //   68????????           |                     
            //   8d85dcfaffff         | lea                 eax, [ebp - 0x524]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { 6800010000 6a40 68???????? e8???????? }
            // n = 4, score = 500
            //   6800010000           | push                0x100
            //   6a40                 | push                0x40
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_4 = { 57 ff7508 ff15???????? 5f 8bc6 5e }
            // n = 6, score = 400
            //   57                   | push                edi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_5 = { 8908 8b5518 85d2 740a }
            // n = 4, score = 400
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   85d2                 | test                edx, edx
            //   740a                 | je                  0xc

        $sequence_6 = { 7448 8b5508 0fbe02 85c0 7504 }
            // n = 5, score = 400
            //   7448                 | je                  0x4a
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0fbe02               | movsx               eax, byte ptr [edx]
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6

        $sequence_7 = { a1???????? 33c5 8945fc 6804010000 8d85f8feffff 50 ff15???????? }
            // n = 7, score = 400
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   6804010000           | push                0x104
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 55 8bec 8b4508 8078013a }
            // n = 4, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8078013a             | cmp                 byte ptr [eax + 1], 0x3a

        $sequence_9 = { 8b4804 894de8 8b5508 0355d8 8955f4 8b45f0 83780400 }
            // n = 7, score = 400
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355d8               | add                 edx, dword ptr [ebp - 0x28]
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83780400             | cmp                 dword ptr [eax + 4], 0

        $sequence_10 = { 50 e8???????? 83c40c c785b4feffff44000000 }
            // n = 4, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c785b4feffff44000000     | mov    dword ptr [ebp - 0x14c], 0x44

        $sequence_11 = { 8b45f4 8b4d10 034c100c 51 e8???????? 83c40c ebb7 }
            // n = 7, score = 400
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   034c100c             | add                 ecx, dword ptr [eax + edx + 0xc]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   ebb7                 | jmp                 0xffffffb9

        $sequence_12 = { 7523 6800040000 e8???????? 83c404 a3???????? }
            // n = 5, score = 400
            //   7523                 | jne                 0x25
            //   6800040000           | push                0x400
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   a3????????           |                     

        $sequence_13 = { 8bec 8b4d08 6a00 6a01 51 8b413c }
            // n = 6, score = 400
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   51                   | push                ecx
            //   8b413c               | mov                 eax, dword ptr [ecx + 0x3c]

        $sequence_14 = { c745e801000000 33d2 0f852dffffff 837df800 }
            // n = 4, score = 400
            //   c745e801000000       | mov                 dword ptr [ebp - 0x18], 1
            //   33d2                 | xor                 edx, edx
            //   0f852dffffff         | jne                 0xffffff33
            //   837df800             | cmp                 dword ptr [ebp - 8], 0

        $sequence_15 = { 85c0 7408 8b85f4feffff eb02 33c0 8b4dfc }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   8b85f4feffff         | mov                 eax, dword ptr [ebp - 0x10c]
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_16 = { 894588 817d886c972d01 7d27 8b45e4 }
            // n = 4, score = 100
            //   894588               | mov                 dword ptr [ebp - 0x78], eax
            //   817d886c972d01       | cmp                 dword ptr [ebp - 0x78], 0x12d976c
            //   7d27                 | jge                 0x29
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_17 = { 833d????????00 7414 8b45e4 0345c0 }
            // n = 4, score = 100
            //   833d????????00       |                     
            //   7414                 | je                  0x16
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   0345c0               | add                 eax, dword ptr [ebp - 0x40]

        $sequence_18 = { a1???????? 83c044 a3???????? 8b45f8 40 40 8945f8 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   83c044               | add                 eax, 0x44
            //   a3????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   40                   | inc                 eax
            //   40                   | inc                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_19 = { 8945c0 a1???????? 83c044 a3???????? 8b45a0 05c8d45566 0f8482000000 }
            // n = 7, score = 100
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   a1????????           |                     
            //   83c044               | add                 eax, 0x44
            //   a3????????           |                     
            //   8b45a0               | mov                 eax, dword ptr [ebp - 0x60]
            //   05c8d45566           | add                 eax, 0x6655d4c8
            //   0f8482000000         | je                  0x88

        $sequence_20 = { a3???????? 817df8b07d0900 0f8ced000000 a1???????? a3???????? b9382baa99 8d45fc }
            // n = 7, score = 100
            //   a3????????           |                     
            //   817df8b07d0900       | cmp                 dword ptr [ebp - 8], 0x97db0
            //   0f8ced000000         | jl                  0xf3
            //   a1????????           |                     
            //   a3????????           |                     
            //   b9382baa99           | mov                 ecx, 0x99aa2b38
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_21 = { a3???????? 8b45b4 83e803 8945b4 eb22 }
            // n = 5, score = 100
            //   a3????????           |                     
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   83e803               | sub                 eax, 3
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   eb22                 | jmp                 0x24

        $sequence_22 = { 83c052 8945cc 8365e400 c745bc0a000000 }
            // n = 4, score = 100
            //   83c052               | add                 eax, 0x52
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   c745bc0a000000       | mov                 dword ptr [ebp - 0x44], 0xa

        $sequence_23 = { a1???????? 83c05b a3???????? a1???????? 0345cc a3???????? 817df8b07d0900 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   83c05b               | add                 eax, 0x5b
            //   a3????????           |                     
            //   a1????????           |                     
            //   0345cc               | add                 eax, dword ptr [ebp - 0x34]
            //   a3????????           |                     
            //   817df8b07d0900       | cmp                 dword ptr [ebp - 8], 0x97db0

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules