# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/rss/27618** ## Hancitor tries XLL as initial malware file **Published: 2021-07-09** **Last Updated: 2021-07-09 01:44:31 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [3 comment(s)](https://isc.sans.edu/forums/diary/Hancitor+tries+XLL+as+initial+malware+file/27618/#comments) **_Introduction_** On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc. I tried one of the email links in my lab and received the malicious XLL file. After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead. ----- _Shown above: Flow chart for my first Hancitor infection on 2021-07-08._ Since November 2020, Hancitor has consistently followed specific patterns of infection activity, and [my previous diary from January 2021 is typical of what I've seen. Only one](https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/) change has happened recently. Since June 8th 2021, malicious spam (malspam) pushing Hancitor switched from docs.google.com links in their messages to using **_[feedproxy.google.com URLs, which was initially reported by @James_inthe_box,](https://twitter.com/James_inthe_box/status/1402273859278082052)_** [@mesa_matt, and](https://twitter.com/mesa_matt/status/1402313759989932036) [@executemalware.](https://twitter.com/executemalware/status/1402394091644723205) ----- _Shown above: Flow chart for my second Hancitor infection on 2021-07-08 (what I normally_ _see)._ [I've also seen these Google feedproxy URLs used for Hancitor infections, but I had not seen](https://www.malware-traffic-analysis.net/2021/06/17/index.html) the XLL files until now. **_What is an XLL file?_** [XLL files are Excel add-in files. They're DLL files specifically designed to be run by Microsoft](https://www.lifewire.com/xll-file-2622527) Excel. Think of an XLL file as an "Excel DLL." **_The emails_** As usual, emails for this wave of Hancitor used a DocuSign theme, and they spoofed **_cabanga[.]com as the sending domain. Just like in recent weeks, links went to a Google_** feedproxy URL. ----- _Shown above: Example of malspam pushing Hancitor from 2021-07-08._ The Google feedproxy URL leads to a malicious page on a compromised webite designed to send the initial malicious file and redirect the browser to DocuSign's website. I've described [the process here and](https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/) [here. This process makes it appear as if the file was offered by](https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/) DocuSign, when it was actually sent through a malicious web page. ----- _Shown above: The website for DocuSign appears in a victim's browser immediately after a_ _malicious file is offered for download._ Remember, this malicious activity is not caused by DocuSign. DocuSIgn is one of many companies that cybercriminals impersonate when distributing malware like Hancitor. DocuSign is aware of this long-running effort by the criminals behind Hancitor, and the [company has guidelines for dealing with this sort of malicious activity.](https://www.docusign.com/blog/dealing-with-spam-malware-and-viruses-2) **_Running the XLL_** When opening the XLL file, Excel asks if you want to enable the add-in as shown below. _Shown above: Opening the malicious XLL file in Excel._ ----- The default option was to leave the add-in disabled. But when I opened the XLL file in my lab enviornment, I enabled all code for the add-in. Excel immediately ran the add-in and closed. I didn't see any sort of fake template like we usually see when Hancitor uses a Word document as the initial file. **_Infection traffic_** During my first infection run with the XLL file, most of the traffic followed known patterns for Hancitor and Cobalt Strike, I saw two additional URLs as noted below. _Shown above: Traffic from my first Hancitor infection filtered in Wireshark, with the two_ _unusual URLs noted._ Thes two URLs returned files that were saved to my Windows client in the C:\Users\Public\ directory. The first URL returned an HTML file that was saved as res32.hta. That .hta file retrieved an EXE for Hancitor which was saved as snd32sys.exe. ----- _Shown above: HTML (.hta) and EXE files saved the Windows host._ Hancitor showed a build number of 0707in2_wvcr in C2 traffic caused by the EXE. During my second infection run with a Hancitor DLL, I saw a build number of 0707_wvcr, _Shown above: C2 traffic from Hancitor EXE during my first infection._ ----- _Shown above: C2 traffic from Hancitor DLL during my second infection._ **_Indicators of Compromise (IOCs)_** [This Github page contains 35 Google feedproxy URLs and 35 associated URLs used to send](https://github.com/brad-duncan/IOCs/blob/main/2021-07-08-Hancitor-links.txt) the initial malicious file. Other indicators follow. SHA256 hash: [73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71](https://bazaar.abuse.ch/sample/73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71/) File size: 24,488 bytes File name: 0708_0112181856.xll File description: Excel add-in (an "Excel DLL") SHA256 hash: [da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5](https://bazaar.abuse.ch/sample/da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5/) File size: 8,419 bytes File location: hxxp://srand04rf[.]ru/92375234.xml File location: C:\Users\Public\res32.hta File description: HTML file used to retrieve Hancitor EXE ----- SHA256 hash: [3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6](https://bazaar.abuse.ch/sample/3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6/) File size: 763,392 bytes File location: hxxp://srand04rf[.]ru/08.jpg File location: C:\Users\Public\snd32sys.exe File description: Hancitor EXE [SHA256 hash: b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699](https://bazaar.abuse.ch/sample/b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699/) File size: 898,048 bytes File name: 0708_3355614568218.doc File description: Word doc with macros for Hancitor [SHA256 hash: 4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557](https://bazaar.abuse.ch/sample/4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557/) File size: 274,432 bytes File location: C:\Users\[username]\AppData\Roaming\Microsoft\Template\niberius.dll File description: Hancitor DLL Run method: rundll32.exe [filename],ONOQWPYIEIR SHA256 hash: [dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019](https://bazaar.abuse.ch/sample/dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019/) File size: 272,910 bytes File location: hxxp://srand04rf[.]ru/7hfjsdfjks.exe File description: EXE for Ficker Stealer malware Note: This file was first submitted to VirusTotal on 2021-06-09. Traffic related to Hancitor: 8.211.241[.]0 port 80 - srand04rf[.]ru - GET /92375234.xml 8.211.241[.]0 port 80 - srand04rf[.]ru - GET /08.jpg port 80 - api.ipify.org - GET / [not inherently malicious] 77.222.42[.]67 port 80 - sudepallon[.]com - POST /8/forum.php 194.147.78[.]155 port 80 - anspossthrly[.]ru - POST /8/forum.php 194.147.115[.]74 port 80 - thentabecon[.]ru - POST/8/forum.php Traffic related to Ficker Stealer: 8.211.241[.]0 port 80 - srand04rf[.]ru - GET /7hfjsdfjks.exe port 80 - api.ipify.org - GET /?format=xml [not inherently malicious] 95.213.179[.]67 port 80 - pospvisis[.]com - TCP traffic Traffic related to Cobalt Strike: ----- 8.211.241[.]0 port 80 - srand04rf[.]ru - GET /0707s.bin 8.211.241[.]0 port 80 - srand04rf[.]ru - GET /0707.bin 191.101.17[.]21 port 443 - HTTPS traffic 191.101.17[.]21 port 80 - 191.101.17[.]21 - GET /5lyB 191.101.17[.]21 port 80 - 191.101.17[.]21 - GET /IE9CompatViewList.xml 191.101.17[.]21 port 80 - 191.101.17[.]21 - POST /submit.php?id=[9-digit number] **_Final words_** [A pcap of the infection traffic from my first infection run (with the XLL file) can be found here.](https://github.com/brad-duncan/IOCs/blob/main/2021-07-08-Hancitor-XLL-infection-with-Cobalt-Strike.pcap.zip) -- Brad Duncan brad [at] malware-traffic-analysis.net [Keywords: TA511](https://isc.sans.edu/tag.html?tag=TA511) [Moskalvzapoe](https://isc.sans.edu/tag.html?tag=Moskalvzapoe) [MAN1](https://isc.sans.edu/tag.html?tag=MAN1) [Hancitor](https://isc.sans.edu/tag.html?tag=Hancitor) [Ficker Stealer](https://isc.sans.edu/tag.html?tag=Ficker%20Stealer) [Cobalt Strike](https://isc.sans.edu/tag.html?tag=Cobalt%20Strike) [Chanitor](https://isc.sans.edu/tag.html?tag=Chanitor) [3 comment(s)](https://isc.sans.edu/forums/diary/Hancitor+tries+XLL+as+initial+malware+file/27618/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/rss/27618) Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----