CoronaVirus Themed Malspam (Hancitor malware) | By Siddharth Sharma

CoronaVirus Themed Malspam (Hancitor malware)

Dramatic events are usually used by malicious actors when this kind of outbreak is there, yes I am talking about COVID 19, here dramatic events used by malicious actors means gaining the emotions of the people to their profits. Meanwhile I was reading about these spams, I came through this malicious tracker which we will be looking further in this article. We will be doing technical analysis of this malicious hancitor tracker, hancitor malware was created in 2014 to drop other malwares on infected machines. It’s aliases are Tordal and Chanitor. The malicious PCAP file has been taken from malware traffic website.

Nowdays using COVID 19 theme this is spreading as malspam of which a screenshot is shown below:

souce:tweet by @mesa_matt

Now lets analyze this spam, Let’s first analyze the malicious PCAP:

Technical Analysis:

1.On loading this pcap in Network Miner, below was the result:

2.On extracting this zip file for further analysis, it was found that it contained only one file named CA215720011352.vbs, it was a genuine vbs file, on checking this ,it was found to be heavily obfuscated(Junk code was there), but on scrolling down, actual intent of this file was shown:

3.As it can be seen, it uses wscript.exe for AV evasion and execution, also on running this file, below was the result i.e. temp_adobe_123452643.txt named file was dropped in temp location for persistence.

4.This was actually a DLL file as when it was viewed this in hex viewer MZ was the file header. As we saw above(in 2.) the script used regsvr32 service, to run or register this DLL.

It seems to be signed from a chinese organisation, original name of the file appears to be SystemRegistryClean.exe

5.Clearly this DLL uses RunPE technique a.k.a process hollowing as it creates svchost.exe process under the hood. As shown there is an executable code written into the process(on putting BP on WriteProcessMemory),  on following this code section in memory map and dumping it, gives no useful result so we switch to IDA for more details.

But before that while the above process(no.4) was running I thought to view the network traffic and luckily an IP address was visible establishing connection with the host as shown below:

A connection was established as it can be seen above, on checking that ip address( it was found to be malicious that is it was already reported.

6.Lets look into more details:

7.A lot of Registry apis were used, on viewing this in x64dbg below was shown:

Similar Reg Key was used in Emotet Banking Trojan, “interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}” which is passed as a parameter to RegOpenKeyA. This registry key is required for the Windows scripting engine interface IActiveScriptParseProcedure to function. However on digging more into this DLL, some virtual key related apis were also found as it seemed it was tracking the users activity of the clipboard as shown below:


Some analysis screenshots of sandbox shown below:

1.First it drops(as analyzed above)

2.Then it uses WMI(Windows Management Instrumentation) mainly for defense evasion and for gathering information for Discovery and remote Execution of files as part of Lateral Movement.

3.Also It reads the Internet Cache settings, the Registry contains a significant amount of information about the operating system, configuration, software, and security.

4.Meanwhile it makes a network connection as shown:

Related IOCs

– port 80 – – GET /wp-includes/rmdrinkwater.php?t=TW9uLCAxNiBNYXIgMjAyMCAyMDoxNzoxNSArMDMwMA==

– port 80 – – GET /852435_34859.php?eXYI2DfB6=eXYI2DfB6&t=TW9uLCAxNiBNYXIgMjAyMCAyMDoxNzoxNSArMDMwMA==

– port 80 – – GET /

– port 80 – – POST /4/forum.php

– port 80 – – POST /mlu/forum.php

– port 80 – – GET /1

– port 80 – – GET /2

– port 80 – – POST /4/forum.php

– port 80 – – POST /4/forum.php







About Siddharth:
  • Student currently pursuing bachelors of technology (Computer Science)
  • Interested in malware analysis,reversing and forensics.
  • Did internship at Computer Emergency Response Team,India (CERT-In)

The article was originally published here:

March 25, 2020
Notify of
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013