Skip to content

S0499 Hancitor

Hancitor is a downloader that has been used by Pony and other information stealing malware.12

Item Value
ID S0499
Associated Names Chanitor
Version 1.0
Created 12 August 2020
Last Modified 16 October 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Chanitor 2

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Hancitor has added Registry Run keys to establish persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Hancitor has used PowerShell to execute commands.2
enterprise T1140 Deobfuscate/Decode Files or Information Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.12
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Hancitor has deleted files using the VBA kill function.2
enterprise T1105 Ingress Tool Transfer Hancitor has the ability to download additional files from C2.1
enterprise T1106 Native API Hancitor has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.2
enterprise T1027 Obfuscated Files or Information Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.12
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Hancitor has been delivered via phishing emails with malicious attachments.2
enterprise T1566.002 Spearphishing Link Hancitor has been delivered via phishing emails which contained malicious links.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.012 Verclsid Hancitor has used verclsid.exe to download and execute a malicious script.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Hancitor has relied upon users clicking on a malicious link delivered through phishing.1
enterprise T1204.002 Malicious File Hancitor has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.2
enterprise T1497 Virtualization/Sandbox Evasion Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.2