Hancitor Analysis
IOB - Indicator of Behavior (1000)
Timeline
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.
Activities
Interest
Timeline
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.
Vulnerabilities
Campaigns (2)
These are the campaigns that can be associated with the actor:
- Cobalt Strike
- Xxxxxxxx
IOC - Indicator of Compromise (122)
These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.
TTP - Tactics, Techniques, Procedures (24)
Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
IOA - Indicator of Attack (241)
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
ID | Class | Indicator | Type | Confidence |
---|---|---|---|---|
1 | File | /card_scan.php | predictive | High |
2 | File | /cgi-bin/wlogin.cgi | predictive | High |
3 | File | /concat?/%2557EB-INF/web.xml | predictive | High |
4 | File | /cwc/login | predictive | Medium |
5 | File | /etc/quagga | predictive | Medium |
6 | File | /files.md5 | predictive | Medium |
7 | File | /forum/away.php | predictive | High |
8 | File | /h/calendar | predictive | Medium |
9 | File | /hrm/employeeview.php | predictive | High |
10 | File | /index.php | predictive | Medium |
11 | File | /lists/index.php | predictive | High |
12 | File | /login | predictive | Low |
13 | File | /members/view_member.php | predictive | High |
14 | File | /modules/profile/index.php | predictive | High |
15 | File | /nova/bin/console | predictive | High |
16 | File | /nova/bin/detnet | predictive | High |
17 | File | /objects/getImageMP4.php | predictive | High |
18 | File | /one_church/userregister.php | predictive | High |
19 | File | /out.php | predictive | Medium |
20 | File | /owa/auth/logon.aspx | predictive | High |
21 | File | /public/plugins/ | predictive | High |
22 | File | /replication | predictive | Medium |
23 | File | /req_password_user.php | predictive | High |
24 | File | /SAP_Information_System/controllers/add_admin.php | predictive | High |
25 | File | /SASWebReportStudio/logonAndRender.do | predictive | High |
26 | File | /secure/admin/InsightDefaultCustomFieldConfig.jspa | predictive | High |
27 | File | /secure/admin/ViewInstrumentation.jspa | predictive | High |
28 | File | /secure/QueryComponent!Default.jspa | predictive | High |
29 | File | /xxxxxxx/xxxxxxxxx/%xxxxx%/xxxxx | predictive | High |
30 | File | /xxx_xxxxxx/xx/xxx/xx_xxxxxx | predictive | High |
31 | File | /xxxxxxx/ | predictive | Medium |
32 | File | /xx/xxxxxxx/xxxx-xxxx-xxxxxx-xxx-xxxx | predictive | High |
33 | File | /xxx-xxx/xxx.xxx | predictive | High |
34 | File | /xxx/xxxxx/xx/xxxxxxx/xxxxxxxxxxxxxxxxx.xxx | predictive | High |
35 | File | /xx-xxxx | predictive | Medium |
36 | File | /xx-xxxx/xxxxxx/x.x/xxxxx?xxx | predictive | High |
37 | File | x.xxx.xxx | predictive | Medium |
38 | File | xxxxxxx.xxx | predictive | Medium |
39 | File | xxxxx.xxxxxxxxx.xxx | predictive | High |
40 | File | xxxxx/xxxx_xxxxx_xxxx.xxx | predictive | High |
41 | File | xxxxx/xxxxxxxxxxxxx.xxx | predictive | High |
42 | File | xxxxx_xxxxxx.xxx | predictive | High |
43 | File | xxxxxxxxxxxxxx.xxx | predictive | High |
44 | File | xxxx.xxx | predictive | Medium |
45 | File | xxxxxxxxxxxxxxxxxxxxxxxxx.xxxx | predictive | High |
46 | File | xxx/xxx.xxx | predictive | Medium |
47 | File | xxxxxxxxxxxx.x | predictive | High |
48 | File | xxxx_xxxxxxx.xxx | predictive | High |
49 | File | xxxxxxxx.xxx | predictive | Medium |
50 | File | xxx_xxx | predictive | Low |
51 | File | xxx-xxx/xxx/xxxxxxxx_xxx.xxx | predictive | High |
52 | File | xxxxxxx.xxx | predictive | Medium |
53 | File | xxxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxx/xxx/xxxxxx.xxxxxxxxx.xxx | predictive | High |
54 | File | xxxxxxxxxxxxxxxxxxx.xx | predictive | High |
55 | File | x_xxxxxx | predictive | Medium |
56 | File | xxxx/xxxxxxxxxxxxxxx.xxx | predictive | High |
57 | File | xx.xxx | predictive | Low |
58 | File | xx.xxx | predictive | Low |
59 | File | xxxxxxxxxx-xxxxxxxxxxxxx.xxx | predictive | High |
60 | File | xxxxxxx/xxxxx/xxxx.x | predictive | High |
61 | File | xxxxxxx/xxxx/xxxxxx.x | predictive | High |
62 | File | xxxxxxx/xxxxxx/xxx/xxx-xxx.x | predictive | High |
63 | File | xxxxxxx/xxxxxxxx/xxx/xxxxxxx-xxxxxx.x | predictive | High |
64 | File | xxxxxxx/xxx/xxxxxx/xxxxxx_xxxxxxx.x | predictive | High |
65 | File | xxxxxxx/xxx/xxxxxx.x | predictive | High |
66 | File | xxxxxxx/xxxxx/xxxxxx_xxxxx_xxx.x | predictive | High |
67 | File | xxx.x | predictive | Low |
68 | File | xxxxx.xxx | predictive | Medium |
69 | File | xxxx/xxxxx/xxxxxxxx.x | predictive | High |
70 | File | xxxx/xxxxxxxxxx/xxxxxx-xxxx.x | predictive | High |
71 | File | xxxx.xxx | predictive | Medium |
72 | File | xxx/xxxx/xxxx.x | predictive | High |
73 | File | xxxxx_xxxxxx.x | predictive | High |
74 | File | xx/xx_xxxxx.x | predictive | High |
75 | File | xxxxxxx.xxx | predictive | Medium |
76 | File | xxxx.xxx | predictive | Medium |
77 | File | xxxxxxxx-xxx/xxxxxx/xxxxxxxx/xxxxxxxx/xxxxx.xx | predictive | High |
78 | File | xxx-xxxx.x | predictive | Medium |
79 | File | xxx/xxxxxx.xxx | predictive | High |
80 | File | xxxxxxx/xxxxxxxxx.xxxxx.xxx | predictive | High |
81 | File | xxxxxxxx/xxxxx-xx-xxxxxxxxx.xxx | predictive | High |
82 | File | xxxxxxxx/xxxxxxx/xxxxx-xxx.xxx | predictive | High |
83 | File | xxxxx.xxx | predictive | Medium |
84 | File | xxxxxxx.xxx | predictive | Medium |
85 | File | xxxxxx/xxxx/xxxxxx_xxx.xxx | predictive | High |
86 | File | xxxx_xxxxx.xxx | predictive | High |
87 | File | xxxxxx/xxxxxx/xxxxxx-xx.x | predictive | High |
88 | File | xxxxxx/xxxxxx.x | predictive | High |
89 | File | xxxx/xx.xxx | predictive | Medium |
90 | File | xxxxxx.xxx | predictive | Medium |
91 | File | xxx_xxxxxx.x | predictive | Medium |
92 | File | xxxxxxx/xxxx_xxx_xxxxx.xxx | predictive | High |
93 | File | xxxxxxxx.xxx | predictive | Medium |
94 | File | xxx/xxxx/xxxx.x | predictive | High |
95 | File | xxx/xxx/xx_xxx.x | predictive | High |
96 | File | xxx/xxxxxxxx/xxxx.x | predictive | High |
97 | File | xxx/xxxxxxxxx/xx_xxx_xxxxxx.x | predictive | High |
98 | File | xxx/xxxxx | predictive | Medium |
99 | File | xxxxxxx_xxxx.xxx | predictive | High |
100 | File | xxxxx/xxxx_xxxxxx/x_xxxx/xxx_xxxxxxx.xxx | predictive | High |
101 | File | xxxxx/_xxxxx.xx | predictive | High |
102 | File | xxxx.x | predictive | Low |
103 | File | xxxxx_xxx_xxxxxxx.x | predictive | High |
104 | File | xxxx.xxx | predictive | Medium |
105 | File | xxx-xxx/?x=xxxxxxx_xxxxx | predictive | High |
106 | File | xxxxx/xxxxxxx.xxx | predictive | High |
107 | File | xxxxxxxxxxxxx.x | predictive | High |
108 | File | xxxxx_xxxx.x | predictive | Medium |
109 | File | xxxxx_xxxxx.xxx | predictive | High |
110 | File | xxxxx_xxxxxx_xxxxxxxx.xxx | predictive | High |
111 | File | xxxxx.xxx | predictive | Medium |
112 | File | xxxxx.xxx | predictive | Medium |
113 | File | xxxxxxxx.xxx | predictive | Medium |
114 | File | xxxxxxxxxx.xxx | predictive | High |
115 | File | xxxxxxxx_xxxx.xxx | predictive | High |
116 | File | xxxxxxxx.x | predictive | Medium |
117 | File | xx_xxxx.x | predictive | Medium |
118 | File | xxxxxxxxxxxxx/xxxxxxxxxx/xxxxx/xxxxxxxxx.xx | predictive | High |
119 | File | xxxxxxx/xxxx-xxxx/xxxxxx.x | predictive | High |
120 | File | xxxx_xxxxxx.xxx | predictive | High |
121 | File | xxx.x | predictive | Low |
122 | File | xxxxxx.xxxx | predictive | Medium |
123 | File | xxxxxxxx-xxxxxx_xxxxx.xxx | predictive | High |
124 | File | xxxx-xxxxxx.x | predictive | High |
125 | File | xxxxxxx.xxx | predictive | Medium |
126 | File | xxxxxxx.xxx | predictive | Medium |
127 | File | xxx/xxxx/xxxx/xxx.xxxxxxxx.xxxxxxx/xxxxxxx/xxx/xxxxxx.xxxx | predictive | High |
128 | File | xxxxxxx-xxxxxxx.xxx | predictive | High |
129 | File | xxxxxxxx.xxx | predictive | Medium |
130 | File | xxxxxxxx.xxxx | predictive | High |
131 | File | xxx.x | predictive | Low |
132 | File | xxxxx.xx | predictive | Medium |
133 | File | xxxxx/xxxxxxxx.x | predictive | High |
134 | File | xxxxxxx.xxx/xxxxxxx.xxxxxxxxxxxx/xxxxxxx/xxxxxxxxx/xxxxxxxxx.xxxx.xx | predictive | High |
135 | File | xxxx/xxx/xxxx-xxxxx.xxx | predictive | High |
136 | File | xxxxxxx | predictive | Low |
137 | File | xxxxx.xxx | predictive | Medium |
138 | File | xxx.xxx | predictive | Low |
139 | File | xxxxxxxxx/xxx/xxx.x | predictive | High |
140 | File | xxxxxxxxx/xxx/xxx.x | predictive | High |
141 | File | xx-xxxxx/xxxxx.xxx | predictive | High |
142 | File | xx-xxxxx-xxxxxx.xxx | predictive | High |
143 | File | xx-xxxx/xxx/xx/xxxxxxx/ | predictive | High |
144 | File | ~/xxxxxxxx-xxxxxxxx.xxx | predictive | High |
145 | Library | /_xxx_xxx/xxxxx.xxx | predictive | High |
146 | Library | xxxxxx.xxx | predictive | Medium |
147 | Library | xxxxxx.xxxxxxxxx.xxxxxxx.xxxxx_xxxxx.xxx | predictive | High |
148 | Library | xxx/xxxxx_xxxxxx.xxx | predictive | High |
149 | Library | xxxxxxxxxxx/xxxxxxxxxxx.xxx | predictive | High |
150 | Argument | $_xxxxxx | predictive | Medium |
151 | Argument | -xx.xxxxxxx | predictive | Medium |
152 | Argument | xx/xx | predictive | Low |
153 | Argument | xxxxx | predictive | Low |
154 | Argument | xx | predictive | Low |
155 | Argument | xxxxx | predictive | Low |
156 | Argument | xxxxxx_xxxx | predictive | Medium |
157 | Argument | xxxxxxxxx | predictive | Medium |
158 | Argument | xxxxxxxx | predictive | Medium |
159 | Argument | xxxxxxxx | predictive | Medium |
160 | Argument | xxxxx_xxxx | predictive | Medium |
161 | Argument | xxxxxxxxxxxx | predictive | Medium |
162 | Argument | xxxx_xxx_xxxx | predictive | High |
163 | Argument | xxx | predictive | Low |
164 | Argument | xxxxxxx | predictive | Low |
165 | Argument | xxxxxx | predictive | Low |
166 | Argument | xxx | predictive | Low |
167 | Argument | xxxxx | predictive | Low |
168 | Argument | xxxx | predictive | Low |
169 | Argument | xxxxxxxxxxxxxxx | predictive | High |
170 | Argument | xxxxx | predictive | Low |
171 | Argument | xxxxxxxx xx | predictive | Medium |
172 | Argument | xxxxxxxxxxx | predictive | Medium |
173 | Argument | xxxx | predictive | Low |
174 | Argument | xxxxxxxx | predictive | Medium |
175 | Argument | xx_xx | predictive | Low |
176 | Argument | xxxx | predictive | Low |
177 | Argument | xxx-xxxxxxxx | predictive | Medium |
178 | Argument | xxxx | predictive | Low |
179 | Argument | xx | predictive | Low |
180 | Argument | xxxxxxxxx.xxxx | predictive | High |
181 | Argument | xxxxx_xxxx | predictive | Medium |
182 | Argument | xxxx | predictive | Low |
183 | Argument | xxxx/xxxxxx_xxxx | predictive | High |
184 | Argument | xxxxxxxx | predictive | Medium |
185 | Argument | xx_xxxxxxx_xxxx | predictive | High |
186 | Argument | xxxxxx | predictive | Low |
187 | Argument | xxxxx/xxxxx | predictive | Medium |
188 | Argument | xxxx | predictive | Low |
189 | Argument | xxxxxxx | predictive | Low |
190 | Argument | xxxxxxxxxx | predictive | Medium |
191 | Argument | xxxxxxxxx/xxxxxxxxx | predictive | High |
192 | Argument | xxxx | predictive | Low |
193 | Argument | xx | predictive | Low |
194 | Argument | xxxxxx xxxxxx | predictive | High |
195 | Argument | xxxxxxx | predictive | Low |
196 | Argument | xxx | predictive | Low |
197 | Argument | xxxxxxxx | predictive | Medium |
198 | Argument | xxxxxxxx | predictive | Medium |
199 | Argument | xxxx | predictive | Low |
200 | Argument | xxxx_xxxxx | predictive | Medium |
201 | Argument | xxxxx_xxxx_xxx | predictive | High |
202 | Argument | xxxx | predictive | Low |
203 | Argument | xxxxxxxxx | predictive | Medium |
204 | Argument | xxxxxxx_xx | predictive | Medium |
205 | Argument | xx_xxxxxxx_xxxxxxx | predictive | High |
206 | Argument | xxxxx | predictive | Low |
207 | Argument | xxxxxxxxxx | predictive | Medium |
208 | Argument | xxxxxx_xxxx | predictive | Medium |
209 | Argument | xxxxxxxxxx | predictive | Medium |
210 | Argument | xxxxxx | predictive | Low |
211 | Argument | xxxxxxx | predictive | Low |
212 | Argument | xxxxxxxxxxx | predictive | Medium |
213 | Argument | xxxxxx_xxxxxxx_xxxxxxxxx_xxxx/xxxxxx_xxxxxxx_xxxxxxx_xxxx | predictive | High |
214 | Argument | xx | predictive | Low |
215 | Argument | xxxxxx | predictive | Low |
216 | Argument | xxxxxx/xxxxxx_xxxxxx | predictive | High |
217 | Argument | xxxxxx | predictive | Low |
218 | Argument | xxxxxx | predictive | Low |
219 | Argument | xxx | predictive | Low |
220 | Argument | x_xx | predictive | Low |
221 | Argument | xxx | predictive | Low |
222 | Argument | xxxxx | predictive | Low |
223 | Argument | xxxxx_xxxx | predictive | Medium |
224 | Argument | xxxxxxxx-xxxxxxxx | predictive | High |
225 | Argument | xxx | predictive | Low |
226 | Argument | xxx | predictive | Low |
227 | Argument | xxxxxxxx | predictive | Medium |
228 | Argument | xxxxx/xx_xxxxx | predictive | High |
229 | Argument | xxxx | predictive | Low |
230 | Argument | xxxx | predictive | Low |
231 | Argument | x-xxxxxxxxx-xxxxxx | predictive | High |
232 | Argument | x-xxxxxx-xxxxxx | predictive | High |
233 | Argument | _xxxxxxx[xxxx_xxxxx_xx] | predictive | High |
234 | Input Value | .%xx.../.%xx.../ | predictive | High |
235 | Input Value | ../../xxxxxxx.xxx | predictive | High |
236 | Input Value | xxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxx | predictive | High |
237 | Input Value | xxxxxxx/xxxxxxxx_xxxxxxxx/xxxxxxxx_xxxxxxx/xxxxxxxx | predictive | High |
238 | Pattern | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | predictive | High |
239 | Pattern | |xx|xxx|xx xx xx xx| | predictive | High |
240 | Network Port | xxx/xxx (xxxx) | predictive | High |
241 | Network Port | xxx/xxxx | predictive | Medium |
References (15)
The following list contains external sources which discuss the actor and the associated activities:
- https://github.com/vuldb/cyber_threat_intelligence/tree/main/actors/Hancitor
- https://isc.sans.edu/forums/diary/Campaign+evolution+Hancitor+changes+its+Word+macros/24376/
- https://isc.sans.edu/forums/diary/Campaign+evolution+Hancitor+malspam+starts+pushing+Ursnif+this+week/24256/
- https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/
- https://isc.sans.edu/forums/diary/Hancitor+distributed+through+coronavirusthemed+malspam/25892/
- https://isc.sans.edu/forums/diary/Hancitor+malspam+uses+DDE+attack/22936/
- https://isc.sans.edu/forums/diary/Hancitor+tries+XLL+as+initial+malware+file/27618/
- https://isc.sans.edu/forums/diary/HancitorPony+malspam/22053/
- https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919/
- https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/
- https://isc.sans.edu/forums/diary/Malspam+pushing+Word+documents+with+Hancitor+malware/22858/
- https://isc.sans.edu/forums/diary/RTF+files+for+Hancitor+utilize+exploit+for+CVE201711882/23271/
- https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/
- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
- https://www.malware-traffic-analysis.net/2021/09/14/index.html