Files packaged with Excel-DNA from which a dll containing 2 urls pointing to Discord is extracted. These download data files and encode them with XOR creating additional DLLs, which initiate the malware infection.
Technical analysis by the Malware Hunter JAMESWT
The Hancitor campaign via DocuSign is back. The email doc attachment is downloaded each time from a different url and contains a dll with the malware. It is not known what the final payalod is
New wave of the Hancitor campaign, which passes from a fake mail notification from DocuSign. The message contains a doc attachment, which can be downloaded by opening the link in the text (the yellow button).
This contacts a different url each time and downloads a document that varies with each operation. Inside there is a dll with Hancitor (aka Chanitor). It is not clear, however, at the moment, what the downloader downloads once installed on the victim’s machine. In the latest cybercrime campaigns, the final payload was FickerStealer, an info-stealer that targets PCs with Windows operating systems, from XP to 10.