Today’s post is about fresh versions of Hancitor trojan and a couple of rules released by Threat Bounty Program participants which enables security solutions to detect them.

Hancitor Trojan (Evasion Technique) community rule by Emir Erdogan:

Hancitor infection with Ursnif exclusive rule by Osman Demir:

This malware appeared in 2013 and at the end of last year was significantly modified by the authors, who managed to turn the outdated Trojan into an evasive threat. Cybercriminals infect their victims primarily via various spam email campaigns. Hancitor trojan is designed to attack Windows systems, and attackers use it to deliver the next stage payload. The new version of this malware was used most of all in attacks against users and organizations from the United States, and their other targets are located in Canada, Southern and Central Americas, Europe, and APAC region. One of the most notable changes in the malware is the capability of downloading and executing a DLL module. Also, malware authors have significantly modified the network communication protocol used.

In recent campaigns, cybercriminals leveraged an effective combination of Living off the Land Techniques in order to evade detection. They used WMI for indirect command execution and COM objects to download stage-two binaries in Proxy and Non-Proxy environments.


The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Execution, Discovery 

Techniques: PowerShell (T1086), Windows Management Instrumentation (T1047), Query Registry (T1012)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts