HP Threat Research Blog Hancitor Infection Chain Analysis: An Examination of its Unpacking Routine and Execution Techniques

February 26, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

Hancitor Infection Chain Analysis: An Examination of its Unpacking Routine and Execution Techniques

In this article, we describe how Hancitor compromises systems based on its infection chain observed in January and February 2021. We cover its unpacking routine, information gathering and command and control (C2) functions, and payload execution techniques.

The malware Hancitor

Hancitor (aka Chanitor) is a downloader which is used to gain initial access to a victim’s computer. Its main purpose is to download and execute a second stage malware payload from one of multiple encrypted URLs contained in the malware itself. This downloader was first seen in 2014 commonly deploying Pony and Vawtrak malware. Like many other malware families we saw Hancitor become active again in early 2021 following the festive period. The first Hancitor malicious spam wave of 2021 started on 12 January, where the malware was distributed as email Word document attachments. Sin