skip to Main Content

Cybercrime, Hancitor is back hidden in a DocuSign email

Technical analysis by the Malware Hunter JAMESW

Hancitor is back, hidden in a DocuSign e-mail. The doc attachment is downloaded each time from a different url and contains the dll with the malware. The final payalod is unknown

Hancitor is back, hidden inside a DocuSign email.

The doc attachment, which can be downloaded by opening the link in the text (the yellow button), contacts a different url each time and downloads a document that varies with each operation. Inside there is a dll with malware (aka Chanitor).

The next payload downloaded, however, is unknown. In the latest cybercrime campaigns, however, this was CobaltStrike or FickerStealer, an info-stealer that targets Windows-based PCs from XP to 10.

Malware C2

Back To Top