2020-10-20 - HANCITOR WITH SOMETHING AND COBALT STRIKE

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Screen shot from an example of malspam pushing Hancitor.

 


Shown above:  Screenshot from one of the Google Docs pages leading to the spreadsheet.

 


Shown above:  Screenshot from one of the Excel files downloaded through the Google Docs pages.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  The initial Hancitor EXE.

 


Shown above:  Registry update to make the Hancitor EXE persistent.

 


Shown above:  Malware binaries in the infected user's AppData\Local\Temp directory.

 


Shown above:  This appeared after the Cobalt Strike activity started.

 

Click here to return to the main page.