2021-02-02 - QUICK POST: HANCITOR INFECTION WITH FICKER STEALER, COBALT STRIKE, & NETSUPPORT RAT
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2021-02-02-Hancitor-malspam-11-examples.zip 23.4 kB (23,462 bytes)
- 2021-02-02-Hancitor-with-Ficker-Stealer-and-Cobalt-Strike-and-NetSupport-RAT.pcap.zip 12.5 MB (12,518,585 bytes)
- 2021-02-02-Hancitor-malware.zip 292 kB (292,288 bytes)
NOTES:
- The malware zip listed above only contains the Hancitor doc and DLL.
- You can extract the Ficker Stealer EXE from the pcap.
- Malware for NetSupport Manager RAT was sent over encoded C2 traffic through Cobalt Strike, and I unfortunately didn't retrieve a copy from the infected Windows host.
IMAGES
Shown above: Indicators that NetSupport RAT may have been delivered through Cobalt Strike after the intial Hancitor infection.
Click here to return to the main page.