{
	"id": "0267171c-2c92-480b-ad25-a154b4446ce3",
	"created_at": "2026-04-06T02:12:02.651419Z",
	"updated_at": "2026-04-10T03:20:49.461914Z",
	"deleted_at": null,
	"sha1_hash": "f4a0b1a5ee8ea97019fa78757338ba8a45aca279",
	"title": "Hancitor tries XLL as initial malware file - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3328525,
	"plain_text": "Hancitor tries XLL as initial malware file - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-06 01:28:57 UTC\r\nIntroduction\r\nOn Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a\r\nmalicious link from the malspam, they would receive a XLL file instead of a malicious Word doc.  I tried one of\r\nthe email links in my lab and received the malicious XLL file.  After other researchers reported they were\r\nreceiving Word documents, I tried a few hours later and received a Word document instead.\r\nShown above:  Flow chart for my first Hancitor infection on 2021-07-08.\r\nSince November 2020, Hancitor has consistently followed specific patterns of infection activity, and my previous\r\ndiary from January 2021 is typical of what I've seen.  Only one change has happened recently.  Since June 8th\r\n2021, malicious spam (malspam) pushing Hancitor switched from docs.google.com links in their messages to\r\nusing feedproxy.google.com URLs, which was initially reported by @James_inthe_box, @mesa_matt, and\r\n@executemalware.\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 1 of 9\n\nShown above:  Flow chart for my second Hancitor infection on 2021-07-08 (what I normally see).\r\nI've also seen these Google feedproxy URLs used for Hancitor infections, but I had not seen the XLL files until\r\nnow.\r\nWhat is an XLL file?\r\nXLL files are Excel add-in files.  They're DLL files specifically designed to be run by Microsoft Excel.  Think of\r\nan XLL file as an \"Excel DLL.\"\r\nThe emails\r\nAs usual, emails for this wave of Hancitor used a DocuSign theme, and they spoofed cabanga[.]com as the\r\nsending domain.  Just like in recent weeks, links went to a Google feedproxy URL.\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 2 of 9\n\nShown above:  Example of malspam pushing Hancitor from 2021-07-08.\r\nThe Google feedproxy URL leads to a malicious page on a compromised webite designed to send the initial\r\nmalicious file and redirect the browser to DocuSign's website.  I've described the process here and here.  This\r\nprocess makes it appear as if the file was offered by DocuSign, when it was actually sent through a malicious web\r\npage.\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 3 of 9\n\nShown above:  The website for DocuSign appears in a victim's browser immediately after a malicious file is\r\noffered for download.\r\nRemember, this malicious activity is not caused by DocuSign.  DocuSIgn is one of many companies that\r\ncybercriminals impersonate when distributing malware like Hancitor.  DocuSign is aware of this long-running\r\neffort by the criminals behind Hancitor, and the company has guidelines for dealing with this sort of malicious\r\nactivity.\r\nRunning the XLL\r\nWhen opening the XLL file, Excel asks if you want to enable the add-in as shown below.\r\nShown above:  Opening the malicious XLL file in Excel.\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 4 of 9\n\nThe default option was to leave the add-in disabled.  But when I opened the XLL file in my lab enviornment, I\r\nenabled all code for the add-in.  Excel immediately ran the add-in and closed.  I didn't see any sort of fake\r\ntemplate like we usually see when Hancitor uses a Word document as the initial file.\r\nInfection traffic\r\nDuring my first infection run with the XLL file, most of the traffic followed known patterns for Hancitor and\r\nCobalt Strike, I saw two additional URLs as noted below.\r\nShown above: Traffic from my first Hancitor infection filtered in Wireshark, with the two unusual URLs noted.\r\nThes two URLs returned files that were saved to my Windows client in the C:\\Users\\Public\\ directory.  The first\r\nURL returned an HTML file that was saved as res32.hta.  That .hta file retrieved an EXE for Hancitor which was\r\nsaved as snd32sys.exe.\r\nShown above:  HTML (.hta) and EXE files saved the Windows host.\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 5 of 9\n\nHancitor showed a build number of 0707in2_wvcr in C2 traffic caused by the EXE.  During my second infection\r\nrun with a Hancitor DLL, I saw a build number of 0707_wvcr,\r\nShown above:  C2 traffic from Hancitor EXE during my first infection.\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 6 of 9\n\nShown above:  C2 traffic from Hancitor DLL during my second infection.\r\nIndicators of Compromise (IOCs)\r\nThis Github page contains 35 Google feedproxy URLs and 35 associated URLs used to send the initial malicious\r\nfile.  Other indicators follow.\r\nSHA256 hash: 73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71\r\nFile size: 24,488 bytes\r\nFile name: 0708_0112181856.xll\r\nFile description: Excel add-in (an \"Excel DLL\")\r\nSHA256 hash: da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5\r\nFile size: 8,419 bytes\r\nFile location: hxxp://srand04rf[.]ru/92375234.xml\r\nFile location: C:\\Users\\Public\\res32.hta\r\nFile description: HTML file used to retrieve Hancitor EXE\r\nSHA256 hash: 3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6\r\nFile size: 763,392 bytes\r\nFile location: hxxp://srand04rf[.]ru/08.jpg\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 7 of 9\n\nFile location: C:\\Users\\Public\\snd32sys.exe\r\nFile description: Hancitor EXE\r\nSHA256 hash: b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699\r\nFile size: 898,048 bytes\r\nFile name: 0708_3355614568218.doc\r\nFile description: Word doc with macros for Hancitor\r\nSHA256 hash: 4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557\r\nFile size: 274,432 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Template\\niberius.dll\r\nFile description: Hancitor DLL\r\nRun method: rundll32.exe [filename],ONOQWPYIEIR\r\nSHA256 hash: dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019\r\nFile size: 272,910 bytes\r\nFile location: hxxp://srand04rf[.]ru/7hfjsdfjks.exe\r\nFile description: EXE for Ficker Stealer malware\r\nNote: This file was first submitted to VirusTotal on 2021-06-09.\r\nTraffic related to Hancitor:\r\n8.211.241[.]0 port 80 - srand04rf[.]ru - GET /92375234.xml\r\n8.211.241[.]0 port 80 - srand04rf[.]ru - GET /08.jpg\r\nport 80 - api.ipify.org - GET /  [not inherently malicious]\r\n77.222.42[.]67 port 80 - sudepallon[.]com - POST /8/forum.php\r\n194.147.78[.]155 port 80 - anspossthrly[.]ru - POST /8/forum.php\r\n194.147.115[.]74 port 80 - thentabecon[.]ru - POST/8/forum.php\r\nTraffic related to Ficker Stealer:\r\n8.211.241[.]0 port 80 - srand04rf[.]ru - GET /7hfjsdfjks.exe\r\nport 80 - api.ipify.org - GET /?format=xml  [not inherently malicious]\r\n95.213.179[.]67 port 80 - pospvisis[.]com - TCP traffic\r\nTraffic related to Cobalt Strike:\r\n8.211.241[.]0 port 80 - srand04rf[.]ru - GET /0707s.bin\r\n8.211.241[.]0 port 80 - srand04rf[.]ru - GET /0707.bin\r\n191.101.17[.]21 port 443 - HTTPS traffic\r\n191.101.17[.]21 port 80 - 191.101.17[.]21 - GET /5lyB\r\n191.101.17[.]21 port 80 - 191.101.17[.]21 - GET /IE9CompatViewList.xml\r\n191.101.17[.]21 port 80 - 191.101.17[.]21 - POST /submit.php?id=[9-digit number]\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 8 of 9\n\nFinal words\r\nA pcap of the infection traffic from my first infection run (with the XLL file) can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/27618\r\nhttps://isc.sans.edu/diary/rss/27618\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/27618"
	],
	"report_names": [
		"27618"
	],
	"threat_actors": [],
	"ts_created_at": 1775441522,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4a0b1a5ee8ea97019fa78757338ba8a45aca279.pdf",
		"text": "https://archive.orkl.eu/f4a0b1a5ee8ea97019fa78757338ba8a45aca279.txt",
		"img": "https://archive.orkl.eu/f4a0b1a5ee8ea97019fa78757338ba8a45aca279.jpg"
	}
}