Hancitor Malware Analysis

File Properties

SHA256: ccb4137fca50b8a57431e0942435162c091d576ad81097e1422b990287b94c33

MD5: ea6b1ff8254124e65e61f620f7d0962d

File Type: dll

Size: 778,127 byte

First Seen: 2021-06-23

AV Signature: Hancitor

Imphash: cafbfea9ad2af4cb82096fba1f88d2b3

Reported By: anonymous

Tags: application/x-dosexec, dll, Hancitor

Static analysis: metadata-based (sample not downloaded)

Hancitor — Malware Profile

Hancitor (Chanitor) email dropper. PuTTY SSH disguise. Cobalt Strike/Ficker dropper.

Malware Type
Loader
Programming Language
C
C2 Protocol
HTTP
Target Systems
Windows

Technical Details

Loader ailesi: HTTP/HTTPS C2, payload sifre cozme ve bellek icerisinde yükleme, anti-sandbox/VM kontrolleri, process injection, persistence mekanizmasi, yükü indirme ve calistirma zinciri

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — Hancitor
# FILEPATH ccb4137fca50b8a57431e0942435162c091d576ad81097e1422b990287b94c33
TypeValueNote
filepath ccb4137fca50b8a57431e0942435162c091d576ad81097e1422b990287b94c33 PDB

C2 Servers (1 recorded servers for this family)

Address Type Port Protocol Status Country
5.61.46.161 ip 80 HTTP sinkholed UA

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
application/x-dosexecdllHancitor