Hancitor Packer Demystified...

[Teddy Rogers]

Quote

The Hancitor malware family has been around for a while and its core job is to download and execute additional malware. In order to succeed at its job, the malware must succeed in being run undetected on the machine and thus effectively stay under the radar of security software such as an antivirus. One of Hancitor's endeavors to bypass antivirus is by making use of a booby trapped Office document and to instruct Office to inject the Hancitor binary in a legitimate Windows process. This method has been documented well by the Airbus security team and has been used untill approximately the summer of 2018. Around that time, the Hancitor crew has shifted its infection mechanism by making their spammed Office documents download a packed executable to disk. An executable written to disk usually gets inspected/scanned by antivirus, yet the Hancitor malware has been reasonably successful in evading being detected (initially) as malicious. 

Hancitor's evasive success can be partly attributed to the packer/crypter being used. In this blog I will do a (technical) deep dive into Hancitor's packer, which has not changed much since the summer of 2018. I will discuss how the packer protects its payload and how it tries to thwart analysis. At the end of this blog, I'll demonstrate how this packer has also been used by many other malware families in the past.

https://www.uperesia.com/hancitor-packer-demystified

Ted.

[_null_]

I'm quite new to the forum and I'm enjoying what I've read and seen thus far!

I appreciate you providing us with well-written information about these methods of malware distribution. Thank you for sharing it in this post, as well as the more lengthy article on your blog.

[Samz]

Thanks for sharing this. This illustrates a lot of important concepts related to unpacking.