Updated Hancitor Malware Slings Cobalt Strike

The first-stage DLL communicates relevant information to the C&C about the infected device, which then triggers the download of the next payload. The payloads observed by Palo Alto’s researchers are:

• Ficker Stealer – MaaS Stealer previously covered in our blog.
• Cobalt Strike – the notorious adversary simulation software commonly abused by threat actors.

The packer employed by the Hancitor sample we analyzed is quite similar to the one used by the Emotet sample described in this blog. Both pieces of malware query the registry key HKEY_CLASSES_ROOT \interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9} and will enter an infinite loop if the 4^th character in its default key is not the letter ‘t’, this effectively verifies that the key’s value is the Windows default “IActiveScriptParseProcedure32”.

The registry interface name check

Another evasion technique employed by the packer is the use of uncommon Windows APIs with invalid parameters. The malware calls LoadIconA, LoadCursorW and GetEnhMetaFileBits in an inappropriate manner and will self-terminate if the function does not fail in a specific way. Our guess is that this is an anti-emulation technique which relies on a difference of implementation between a real OS and an emulator.

Anti-emulation in Hancitor

Hancitor has evolved and has become more evasive since our 2016 blog post, and considering the vacuum left by Emotet’s demise it is now a prime candidate to fill the gap in the malicious downloaders market. Minerva Prevents both the malicious document and Hancitor’s subsequent payloads:

IOCs:

e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9

To learn more about how Minerva Labs helps blocks malicious payloads from Hancitor and other ransomware, contact us for a full demo.