skip to Main Content

Cybercrime, Hancitor is still hiding in a DocuSign mail

Technical analysis by the Malware Hunter JAMESWT

Hancitor is still hiding in a DocuSign email. The doc attachment is downloaded each time from a different url and contains the dll with the malware. The final payalod is unknown

Hancitor is still hiding inside a DocuSign email.

The doc attachment, which can be downloaded by opening the link in the text (the yellow button), contacts a different url each time and downloads a document that varies with each operation. Inside there is a dll with malware (aka Chanitor).

It is unknown, however, which is the next payload downloaded. In the latest cybercrime campaigns this was CobaltStrike or FickerStealer, an info-stealer that targets PCs with Windows operating systems, from XP to 10.

Malware C2

Back To Top