# New Hancitor Malware: Pimp my Downloaded

**[blog.minerva-labs.com/new-hancitor-pimp-my-downloader](https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader)**

[Tweet](https://twitter.com/share)

Hancitor (AKA Chanitor and TorDal) is a downloader-type malware – out there for almost two
years now. Downloaders contact the C2 servers after establishing an initial foothold on the
victim's machine – downloading and installing Trojans, bots and other kinds of malware.


-----

[Last May malware researchers at Proofpoint revealed that they observed the re-emergence](https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear)
of Hancitor.

This specific downloader has three core capabilities:

Downloading and executing an exe file from a URL
Downloading a DLL from a URL and executing it without writing it to the disk, but by
writing it directly to the memory space of the downloader
Deleting itself

Any of those commands may be received by the downloader after transmitting a "beacon"
HTTP post request to the C2 server. This request includes basic fingerprinting info unique to
each endpoint and enables the attacker to easily manage the machines of many victims
concurrently while possibly infecting different endpoints with different types of malware in
later infection stages.

## The Augmented Hancitor

Last week we were contacted by one of our clients after he received a notification from one
of Minerva's agents.

A short forensic analysis enabled us to trace a phishing email containing a malicious
attachment titledCompanyPublicMailServer.com_contract. We assumed that this is a wide
Dridex-style spam based infection campaign and indeed a simple search in a publicly
available sandbox proved that this was a pattern as we were able to find over 20 different
malicious documents similar to the one sent to our clients:


-----

Documents infected with Hancitor
The malicious Microsoft Word .doc attachment had an embedded VBA macro script with a
short message aimed at luring the victim to enable the execution of the script.

After enable editing is clicked - malware will execute
Unlike the document used to drop Hancitor in Proofpoint's investigations our sample had
some extra features:

**Handling x86/x64 architectures seamlessly – including adaptation of pointers and**
imported functions:


-----

Changing the flow according to the OS version
These characteristics greatly increase the chances of successfully infecting the victim's
machine, saving noisy crashes of the macro as a bonus.

**Using CallWindowProcA Windows API to execute a code written to the heap –**
As [explained in](https://waleedassar.blogspot.co.il/2012/03/visual-basic-malware-part-1.html) [Waleed Assar's blog – it allows the malware to avoid suspicious API](https://twitter.com/waleedassar)
calls as ShellExecute and CreateProcess and the need to write this intermediate
shellcode-like dropper stage to the disk. It is uncommon to see this technique
implemented in VBA script, however – it is used by .exe files in the wild at
least [since Citadel.](https://blog.malwarebytes.com/threat-analysis/2014/02/how-to-unpack-a-self-injecting-citadel-trojan/)

Hancitor dropped and executed by the malicious macro


-----

Now, Hancitor is finally running. On its initial execution it is running under a random looking
hard coded name (we observed bg618.exe and lj016.exe) from the %TEMP% folder. It then
creates another instance of itself and uses process hollowing to unpack itself to its new
instance. The unpacked executable copies Hancitor to either the system or temporary folder
under the name WinHost32.exeHancitor then executes the binary under its new name and
deletes the old one. It is also taking care of achieving persistency by creating a registry value
under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. From now on, each time
it will be executed under the new name the following mechanism will kick in:

This is a simple test that determines if the file is executed for the first time and will gain
persistency, or if it is already installed and should initiate its core functionality as a
downloader - Hancitor now connects back to its C2 servers in order to download and execute
malware. The communication with the C2 server was similar to the pattern described in
Proofpoint's report. A "beacon" signal was sent with unique identifiers of the victim:


-----

Hanictor checks if the C2 has new tasks for it
Just as we saw in the "old" Hancitor, our new version is able to receive commands to
download and execute malware. We compared the binaries, trying to figure out if there are
any changes between Proofpoint's Hancitor and ours and we found one key
difference: Support for a new command-type was added – "b".


-----

C2 commands switch table
Reverse engineering the function that handles it led us to the conclusion that it is used to
execute code downloaded from a URL. However, instead of simply executing it or writing it to
Hancitor's memory space it injects it to a svchost.exe process

Hancitor creates svchost.exe instance to host malicious code


-----

Proofpoint s researchers predicted that downloaders will get more complex, absorbing
functionality of later stages in the infection process – our findings certainly support their
assertions.

## Payloads – More of the Same

After allowing the Hancitor sample to run in a controlled environment we were able to
intercept it and downloaded a couple of modules. Both modules were downloaded from
WordPress and Joomla! sites, possibly exploited to store the malicious content.

[The first payload we observed was a Pony info-stealer Trojan (VT):](https://www.virustotal.com/en/file/8d60356e89c0f4d735e665bbc10c8a36589413f55efa17659c7c253d2449d54f/analysis/)

Command to download the Pony malware
After downloading it directly to Hancitor's memory it was executed in a new thread and
started to monitor a vast range of collectible data:

Email passwords (SMTP, POP3, IMAP)
Other web protocols passwords (HTTP, FTP, NNTP)


-----

Enumerating keys
in HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Profiles leading to
the users PST files
More registry keys related to outlook accounts.

Comparing this sample to older Pony from April to early July resulted in little to no difference.
Even though some of the C2 URLs were changed, we discovered that they resolve to the
same IP addresses used in previous campaign. This is our sample,
resolving bettitotuld[.]com:

Pony resolves its C2 to 46[.]4[.]173[.]214


-----

Going through Passive Total s [data showed that at least four extra URLs linking this IP to](https://www.passivetotal.org/passive/46.4.173.214)
previous Pony campaigns:

Same IP, different C2 URLs
In both the old and the new Pony samples the path to the gate was always the same,
accessing it in the /zapoy/gate.php path. Curious what Zapoy means we opened our Russian
dictionary and found two possible explanations: The first one translates [zapoy as the](https://en.wikipedia.org/wiki/Zapoy)
Russian term for a state of continuous drunkenness. The other meaning is slang for "start to
sing".

After this short lesson in Russian slang we went back to check how Hancitor is doing and
found that our sample downloaded and executed another component:


-----

Downloading secondary payload
This file, 45.exe, is a spam bot which was executed after being written to the disk (unlike
Pony's DLL).

After a short "chat" over UDP with its C2 server the bot started to resolve the addresses of
SMTP servers and connect to them over port 25:


-----

The bot searches SMTP servers
It is also worth mentioning that this bot has a separate persistency mechanism than
Hancitor's, installing itself as a service under the name "s3svc".

## A Short Summary and Conclusions

The new version of Hancitor is just another phase on the evolution of downloaders from a
simple “check-updates-download-execute” loop to a complex and more advanced malware.
In this example we had the chance to observe the full chain from a phishing email to a
Trojan:


-----

This complex mechanism is a result of the current security products landscape – each
evasive maneuver is tweaked to avoid a specific class of products. Minerva Anti-Evasion
Platform, preventing any damage by this and other malware attack by exploiting malware
evasive nature against it self.

## IOCs

### URL Addresses

**Hancitor**

hxxp://callereb[.]com/ls/gate[.]php


-----

hxxp://supketwron[.]ru/ls/gate[.]php

hxxp://witjono[.]ru/ls/gate[.]php

**Pony**

hxxp://eventtorshendint[.]ru/zapoy/gate[.]php

hxxp://tefaverrol[.]ru/zapoy/gate[.]php

hxxp://bettitotuld[.]com/zapoy/gate[.]php

hxxp://tonslacsotont[.]ru/zapoy/gate[.]php

hxxp://hinhenharre[.]ru/zapoy/gate[.]php

hxxp://helahatun[.]com/zapoy/gate[.]php

hxxp://idmuchatbut[.]ru/zapoy/gate[.]php

hxxp://dafiutrat[.]ru/zapoy/gate[.]php

hxxp://onketorsco[.]com/zapoy/gate[.]php

hxxp://eventtorshendint[.]ru/zapoy/gate[.]php

### IP Addresses

62[.]141[.]54[.]153

151[.]80[.]220[.]47

185[.]31[.]160[.]190

185[.]46[.]8[.]214

46[.]4[.]173[.]214

91[.]220[.]131[.]45

### Hashes (SHA-256)

**Infected Word Documents**

8d37d622baf17eaa7a0b04ab1956263abcc4cd6d85fd28945aacf0dac87b47c4

fcc24a15f2b7ed06403ec192b3ed2a5258e2691b6d61b2334160fd76bbfba151

9463dc78dc7df3e751ee8c10a3fa32e315f58924eb0305f5f9eeaeae2865f9dd


-----

21efc8907d1c4f320330da3f6a87030f1c389ac8d4fc7363d170ce9444ec81cd

554ff7c6f98afd3c6d9aaef232748481c8024feef415dcf4e153cdbed1a3994e

7edd4f271ae83b5c13b9d1927b9a64160d5ffa2eab88e9a860e50009385638a7

4b99b55479698ee6d1f6b69999c994e153672706af477c84cee6858240569783

cc07a2baf22c94959623b1a89ed88a317dbd7a131d4cdc3eadb048f32b3a2e7b

29f99f50e0aecd0e3c41c7dc1ecdfbc52fb53f734d0de99b5ff722dd07149173

926a34fbae94ab7ed7fe9a596f0507031e19044c06cbbca245efb30d926ea1e5

d59bceef11d49f47ec956b7bc9d3497ffc5259905cd6797ff9f5384f0ee55521

af3d08fb9f2e2ba73496aebb53d36dae1d812622abd598eba27c5d483129632d

ac7a5bfc346193a43e6e22663c1037ca45d89a92c8bb3cefb165c359abb402c4

c1ab4f0d1184df1be78d202e1a204fe187eb1649b1e912b48c6eef46af89c430

37a4084541df61d1380370a59694ba6c59abebf0c8183e10abe60d17bdeacedd

1b6e050c9f5fdcb04b247ef9db8fa2a6322118ed7b71c1545d39cb25a1e16131

**Hancitor**

fcc24a15f2b7ed06403ec192b3ed2a5258e2691b6d61b2334160fd76bbfba151

9463dc78dc7df3e751ee8c10a3fa32e315f58924eb0305f5f9eeaeae2865f9dd

21efc8907d1c4f320330da3f6a87030f1c389ac8d4fc7363d170ce9444ec81cd

554ff7c6f98afd3c6d9aaef232748481c8024feef415dcf4e153cdbed1a3994e

7edd4f271ae83b5c13b9d1927b9a64160d5ffa2eab88e9a860e50009385638a7

4b99b55479698ee6d1f6b69999c994e153672706af477c84cee6858240569783

cc07a2baf22c94959623b1a89ed88a317dbd7a131d4cdc3eadb048f32b3a2e7b

29f99f50e0aecd0e3c41c7dc1ecdfbc52fb53f734d0de99b5ff722dd07149173

926a34fbae94ab7ed7fe9a596f0507031e19044c06cbbca245efb30d926ea1e5

d59bceef11d49f47ec956b7bc9d3497ffc5259905cd6797ff9f5384f0ee55521

af3d08fb9f2e2ba73496aebb53d36dae1d812622abd598eba27c5d483129632d


-----

ac7a5bfc346193a43e6e22663c1037ca45d89a92c8bb3cefb165c359abb402c4

c1ab4f0d1184df1be78d202e1a204fe187eb1649b1e912b48c6eef46af89c430

37a4084541df61d1380370a59694ba6c59abebf0c8183e10abe60d17bdeacedd

1b6e050c9f5fdcb04b247ef9db8fa2a6322118ed7b71c1545d39cb25a1e16131

**Pony**

8d60356e89c0f4d735e665bbc10c8a36589413f55efa17659c7c253d2449d54f

**Spam Bot**

b4e5f56345757fbea0dee5480267551c08e9d91d58960463be4928f69c89313c

99824a0be3c3922c564419e5d42dbbc0ccfbbe5f4226e74afb2ec0cada18a152t


-----