{
	"id": "1fc42eb8-d96c-41da-b946-25ec39f80094",
	"created_at": "2026-04-06T00:12:19.789429Z",
	"updated_at": "2026-04-10T03:21:28.654992Z",
	"deleted_at": null,
	"sha1_hash": "357f8478bc416731347ac606bc34c9ef4d4475d4",
	"title": "VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1644416,
	"plain_text": "VB Dropper and Shellcode for Hancitor Reveal New Techniques\r\nBehind Uptick\r\nBy Jeff White\r\nPublished: 2016-08-22 · Archived: 2026-04-05 23:37:57 UTC\r\nThe Hancitor downloader has been relatively quiet since a major campaign back in June 2016. But over the past\r\nweek, while performing research using Palo Alto Networks AutoFocus, we noticed a large uptick in the delivery\r\nof the Hancitor malware family as they shifted away from H1N1 to distribute Pony and Vawtrak executables. In\r\nparallel, we received reports from other firms and security researchers seeing similar activity, which pushed us to\r\nlook into this further.\r\nFigure 1 AutoFocus view of new sessions of Hancitor since July 2016\r\nThe delivery method for these documents remained consistent to other common malicious e-mail campaigns.\r\nLures contained subjects related to recent invoices, or other matters requiring the victim’s attention, such as an\r\noverdue bill. These lures were expected, until we started digging into the actual documents attached and saw an\r\ninteresting method within the Visual Basic (VB) macros in the attached documents used for dropping the malware.\r\nThis blog will review in detail the dropping technique, which isn’t technically new, but this was the first time\r\nwe’ve seen it used in this way. The end goal is to identify where the binary was embedded, but we’ll cover the\r\nmacro and the embedded shellcode throughout this post.\r\nThe Word Document\r\nFor this section, we’ll be looking at the file with a SHA256 hash of\r\n ‘03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a’, which is a typical MS Office\r\nOLE2 Word Document with your standard ploy to ‘Enable Content’ and run the malicious macro.\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 1 of 10\n\nFigure 2 The ploy used by the malicious document\r\nOpening the Visual Basic editor up, we can see two forms and a module for this particular sample.\r\nFigure 3 VBProject components\r\nThe Malicious Macro\r\nVisual Basic can directly execute Microsoft Windows API calls, which allows it perform a number of interesting\r\nfunctions --  exactly what this VB code is doing.\r\nFigure 4 Microsoft Windows API calls within VB code\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 2 of 10\n\nAs we can see, the macro includes logic to determine the architecture of the system it’s running on and has the\r\nability to execute correctly on either 32-bit or 64-bit platforms. The primary calls of interest for us will be\r\nVirtualAlloc(), RtlMoveMemory(), and CallWindowProcA().\r\nWhen we originally started looking at this sample, we were mainly interested in where the payload was being\r\nstored, so we began debugging the macro to understand how it functions. The payload in question is base64-\r\nencoded and embedded within a form in the VBProject as a value of the ‘Text’ field on the ‘choline’ TextBox.\r\nAs a side note, what is really interesting is that the authors went through the trouble to actually write their own\r\nbase64 decoder purely in VB. We’ll leave that as an exercise for the reader to dig into that but it’s a good overview\r\nof how base-N encoding works; the entire ‘maria’ module within this macro is the base64 decoder.\r\nThe macro base64 decodes the payload into a local byte-array and then we come to our first API call,\r\nVirtualAlloc().\r\nFigure 5 Memory page being allocated\r\nThe call commits specific pages of memory with read, write, and executable (RWX) permissions at 0x59B0000.\r\nFigure 6 New memory page with RWX permissions\r\nAfterwards, the VB macro continues to setup the next call to RtlMoveMemory and then calls it with the location\r\nof the memory from the previous call and our base64 decoded byte array.\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 3 of 10\n\nFigure 7 Base64-decoded byte array\r\nWe can quickly validate by dumping that region of memory in our WINWORD.EXE process and comparing\r\ntransferred bytes.\r\nFigure 8 Confirming bytes match from dumped memory\r\nNow that our code has been copied to in executable memory, the macro sets up the last API call for\r\nCallWindowProcA(). The first value supplied to this call is our memory offset +2214, which is a function pointer\r\nwithin this code, and the second is a string of the path to our file for a handle. These actions redirect code\r\nexecution to shellcode.\r\nFigure 9 Passing execution to the shellcode\r\nThe Shellcode\r\nIf we attach to WINWORD.EXE and break on the offset of our memory location +2214 (0x8A6), the entry point\r\nof the shellcode, we can validate program execution shifts to this code path.\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 4 of 10\n\nFigure 10 Validating shellcode is executing\r\nFrom here, the shellcode gets the address for LdrLoadDLL() function, which is similar to LoadLibraryEx(), by\r\nenumerating the Process Environment Block (PEB) and then begins to hunt for the functions it will use within\r\nkernel32.dll.\r\nThe values for the functions it’s looking for, along with other values, are embedded into the shellcode and built on\r\nthe stack for later usage.\r\nFigure 11 Embedded data in shellcode\r\nFollowing these sets of encoded names, we can see the shellcode is interested in the following syscalls:\r\nCloseHandle(), ReadFile(), GetFileSize(), VirtualFree(), VirtualAlloc(), and CreateFileA(). For each API call, it\r\nlooks up the address of the function and stores it on the stack.\r\nNext, the shellcode calls CreateFileA() on the Word document and receives a handle back, which it passes to\r\nGetFileSize() for the file size, that is then subsequently passed to VirtualAlloc() to create a section of memory for\r\nthe file contents (0x2270000). Finally, it reads in the file to that memory location and closes the handle.\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 5 of 10\n\nFigure 12 Egg hunting by the shellcode\r\nOnce it has the copy loaded into memory, it begins a process of hunting through memory for the magic bytes\r\n0x504F4C41, which we can see is located at 0x022836F3 in our new memory page.\r\nFigure 13 Egg located\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 6 of 10\n\nNow that we’ve found what’s likely to be our binary, the last step is to just decode it. Looking at the shellcode, we\r\ncan see that it will add 0x3 to each byte starting at 0x22836FF, in our example, and then XOR it by 0x13, as\r\nshown below.\r\nFigure 14 XOR decrypting\r\nOnce the counter reaches 0x13AAC (80556), it begins a series of sub-routines to manipulate each byte and\r\ndecrypt the binary. If we set a breakpoint after the decryption routine and check our memory location, we can see\r\nthat the binary is decoded and can now be dumped for further analysis. The MZ and PE headers can be seen in the\r\nfollowing dumped memory.\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 7 of 10\n\nFigure 15 Decoded binary\r\nFor this particular campaign run with this dropper, it places the binary in the %TMP% directory before launching\r\nit, which then ends up writing itself to ‘%SYSTEMROOT%/system32/WinHost.exe’.\r\nAt this point, the Hancitor downloader has been fully loaded on the victim’s machine, where it will proceed to\r\nperform additional malicious activities.\r\nConclusion\r\nMacro-based techniques are quite common, but the technique being used here with the macro dropper is an\r\ninteresting variation. From the encoded shellcode within the macro and using native API calls within VB code to\r\npass execution to carving out and decrypting the embedded malware from the Word document, it’s a new use of\r\nHancitor that we’ll be following closely. .\r\nPalo Alto Networks customers are protected from the dropper detailed throughout this blog and its contained\r\nHancitor payload. You can continue to track this threat through the AutoFocus Hancitor tag. Additionally, all\r\nHancitor downloader samples are identified as malicious in WildFire. Domains used by Hancitor are also\r\ncategorized as malicious.\r\nAcknowledgements\r\nFor more analysis of the Hancitor payload, please see this write-up by Minerva Labs.\r\nIndicators of Compromise\r\nBelow are some of the most common observed e-mail subjects and file names seen in the latest campaign this\r\nweek from over 380,000 sessions. Patterns substituted with regex or representation.\r\nEmail Subjects\r\n\u003cdomain\u003e invoice for \u003cmonth\u003e\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 8 of 10\n\nlevi.com invoice for august\r\n\u003cdomain\u003e bill\r\n\u003cdomain\u003e deal\r\n\u003cdomain\u003e receipt\r\n\u003cdomain\u003e contract\r\n\u003cdomain\u003e invoice\r\nmetlife.com bill\r\nmetlife.com deal\r\nmetlife.com receipt\r\nmetlife.com contract\r\nmetlife.com invoice\r\nFile Names\r\nartifact[0-9]{9}.doc\r\nbcbsde.com_contract.doc\r\ncontract_[0-9]{6}.doc\r\ngeneric.doc\r\nprice_list.doc_[0-9]{6}.doc\r\nreport_[0-9]{6}.doc\r\nIn addition, we observed these C2 calls out during analysis, which can be detected at your perimeter by the use of\r\n‘/(sl|zaopy)/gate.php’.\r\nhxxp://betsuriin[.]com/sl/gate.php\r\nhxxp://callereb[.]com/zapoy/gate.php\r\nhxxp://evengsosandpa[.]ru/ls/gate.php\r\nhxxp://felingdoar[.]ru/sl/gate.php\r\nhxxp://gmailsign[.]info/plasma/gate.php\r\nhxxp://hecksafaor[.]com/zapoy/gate.php\r\nhxxp://heheckbitont[.]ru/sl/gate.php\r\nhxxp://hianingherla[.]com/sl/gate.php\r\nhxxp://hihimbety[.]ru/sl/gate.php\r\nhxxp://meketusebet[.]ru/sl/gate.php\r\nhxxp://mianingrabted[.]ru/zapoy/gate.php\r\nhxxp://moatleftbet[.]com/sl/gate.php\r\nhxxp://mopejusron[.]ru/sl/gate.php\r\nhxxp://muchcocaugh[.]com/sl/gate.php\r\nhxxp://ningtoparec[.]ru/sl/gate.php\r\nhxxp://nodosandar[.]com/ls/gate.php\r\nhxxp://nodosandar[.]com/zapoy/gate.php\r\nhxxp://ritbeugin[.]ru/ls/gate.php\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 9 of 10\n\nhxxp://rutithegde[.]ru/sl/gate.php\r\nhxxp://surofonot[.]ru/sl/gate.php\r\nhxxp://uldintoldhin[.]com/sl/gate.php\r\nhxxp://unjustotor[.]com/sl/gate.php\r\nhxxp://wassuseidund[.]ru/sl/gate.php\r\nThe below Yara rule can be used to detect this particular dropper and technique described throughout this blog.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nrule hancitor_dropper : vb_win32api\r\n{\r\n  meta:\r\n    author = \"Jeff White - jwhite@paloaltonetworks @noottrak\"\r\n    date   = \"18AUG2016\"\r\n    hash1  = \"03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a\"\r\n    hash2  = \"4b3912077ef47515b2b74bc1f39de44ddd683a3a79f45c93777e49245f0e9848\"\r\n    hash3  = \"a78972ac6dee8c7292ae06783cfa1f918bacfe956595d30a0a8d99858ce94b5a\"\r\n  strings:\r\n    $api_01 = { 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 }  // VirtualAlloc\r\n    $api_02 = { 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 }  // RtlMoveMemory\r\n    $api_04 = { 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 }  // CallWindowProcAi\r\n    $magic  = { 50 4F 4C 41 }  // POLA\r\n  condition:\r\n    uint32be(0) == 0xD0CF11E0 and all of ($api_*) and $magic\r\n}\r\nSource: https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-upti\r\nck/\r\nhttps://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/"
	],
	"report_names": [
		"unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick"
	],
	"threat_actors": [],
	"ts_created_at": 1775434339,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/357f8478bc416731347ac606bc34c9ef4d4475d4.pdf",
		"text": "https://archive.orkl.eu/357f8478bc416731347ac606bc34c9ef4d4475d4.txt",
		"img": "https://archive.orkl.eu/357f8478bc416731347ac606bc34c9ef4d4475d4.jpg"
	}
}