2021-02-02 - QUICK POST: HANCITOR INFECTION WITH FICKER STEALER, COBALT STRIKE, & NETSUPPORT RAT

ASSOCIATED FILES:

• 2021-02-02-Hancitor-malspam-11-examples.zip   22.4 kB   (22,374 bytes)
• 2021-02-02-Hancitor-with-Ficker-Stealer-and-Cobalt-Strike-and-NetSupport-RAT.pcap.zip   12.5 MB   (12,518,585 bytes)
• 2021-02-02-Hancitor-malware.zip   292 kB   (291,992 bytes)

NOTES:

• The malware zip listed above only contains the Hancitor doc and DLL.
• You can extract the Ficker Stealer EXE from the pcap.
• Malware for NetSupport Manager RAT was sent over encoded C2 traffic through Cobalt Strike, and I unfortunately didn't retrieve a copy from the infected Windows host.
• All zip archives on this site are password-protected.  If you don't know the password, see the "about" page of this website.

 

IMAGES

Shown above:  Indicators that NetSupport RAT may have been delivered through Cobalt Strike after the intial Hancitor infection.

 

Click here to return to the main page.