# Unpacking Hancitor malware

**muha2xmad.github.io/unpacking/hancitor/**

### Muhammad Hasan Ali

Malware Analysis learner

1 minute read

**As-salamu Alaykum**

## Introduction


January 8, 2022


Hancitor is an information stealer and malware downloader used by a threat actor
designated as MAN1, Moskalvzapoe or TA511. In a threat brief from 2018, we noted Hancitor
was relatively unsophisticated, but it would remain a threat for years to come. Approximately
three years later, Hancitor remains a threat and has evolved to use tools like Cobalt Strike. In
recent months, this actor began using a network ping tool to help enumerate the Active
Directory (AD) environment of infected hosts. This blog illustrates how the threat actor
behind Hancitor uses the network ping tool, so security professionals can better identify and
block its use. [1](https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/)

MD5: FF9D0327538AB33468A8AD2142EFF416

## Packed indicators


-----

If we open it in `DiE or` `pestudio we will notice that it’s Not packed.`

Another way to detect packing is to open it in `IDA and if you see less number of functions`
then It’s packed.

Figure(1):

## Unpacking process

How unpacking works? well, packing process depands on the packer. So each packer has
different unpacking routine.

So in this sample we will begin by setting two breakpoints in `VirtualAlloc and`
```
VirtualProtect . Then run f9 to hit the first breakpoint and then run again to hit the 2nd

```
one which is `VirtualAlloc . Then step over` `f8 to the call of virtualalloc. Then dump`


-----

Figure(2):

Then run again to get to virtualalloc to the 2nd time and see what dump has.

Figure(3):

We keep pressing `run to hit the breakpoint of VirtualAlloc` **7 times. After that we we hit**
```
run again.

```
Figure(4):

We will see our unpacked `exe in the dump. Then we` `Follow in Memory map and save`
to file. And `Image base is` `230000 .`


-----

Figure(5):

## Unmap the unpacked file

To get `improts of the unpacked file. We need to repair the section headers see my article`
[Here. After unmapping you can see](https://muha2xmad.github.io/malware-analysis/emotet-part-2/#unmap-the-unpacked-file) `Imports and` `libraries .`

## Article quote

وﻣﺎذا ﯾﻬﻢ إذا ﻟﻢ ﺗﻜﻦ اﻟﺤﯿﺎة ﻋﻠﻰ ﻣﺎ ﯾُﺮام؟

## REF

1- [https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/](https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/)

2- [VirtualAlloc](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc)

3- [VirtualProtect](https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect)


-----