# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: chanitor, hancitor # Reference: https://www.threatcrowd.org/listMalware.php?page=0&antivirus=Trojan:Win32/Chanitor o3qz25zwu4or5mak.onion o3qz25zwu4or5mak.tor2web.org o3qz25zwu4or5mak.tor2web.ru svcz25e3m4mwlauz.onion svcz25e3m4mwlauz.tor2web.org svcz25e3m4mwlauz.tor2web.ru um6fsdil5ecma5kf.onion um6fsdil5ecma5kf.tor2web.org um6fsdil5ecma5kf.tor2web.ru # Reference: https://twitter.com/James_inthe_box/status/1044957343568388097 # Reference: https://pastebin.com/st49wnwB onthethatsed.ru tontheckcatan.ru # Reference: https://pastebin.com/bPV4gVVL heundthetrec.ru perranrowsin.com utteronhim.ru # Reference: https://pastebin.com/CQGHUK03 caperlighleft.com hescatofme.ru ledeventutru.ru # Reference: https://twitter.com/James_inthe_box/status/1047490196319612928 milliondollarlawsuit.co # Reference: https://twitter.com/malware_traffic/status/1113586907655680001 waorveled.com # Reference: https://twitter.com/Antelox/status/914949407442862080 kedmolorop.com # Reference: https://twitter.com/BroadAnalysis/status/880488094277009408 repwasswithhow.com # Reference: https://twitter.com/BroadAnalysis/status/783725374161186816 gotevengsorol.ru # Reference: https://twitter.com/BroadAnalysis/status/753688954323529729 wassuseidund.ru # Reference: https://twitter.com/mesa_matt/status/1113866153108148224 # Reference: https://ghostbin.com/paste/27b9a/raw alldogspoop.co alldogspoop.org alldogspoop.biz alldogspoop.info alldogspoop.mobi alldogspoop.net cherryhillpooperscoopers.com pooperscooperfranchise.com shopalldogspoop.com # Reference: https://twitter.com/CapeSandbox/status/1132548710490148864 hinsurefling.ru oneningsitar.com witoftrinreb.ru # Reference: https://twitter.com/VK_Intel/status/1143512697004331008 # Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-25-hancitor-build-2705_437890-vk.txt hefidanot.com metyrofhe.ru usesindownne.ru # Reference: https://twitter.com/malware_traffic/status/1145793372126416897 totharduron.com # Reference: https://twitter.com/killamjr/status/1146108509324480514 # Reference: https://app.any.run/tasks/fe00a2ef-0140-4335-8c29-31b2cf15e358/ carbonatedcocktails.com fizzics.biz perlinisystems.com shanakaplan.com # Reference: https://twitter.com/VK_Intel/status/1146139326646034433 # Reference: https://twitter.com/James_inthe_box/status/1145765244645433344 # Reference: https://twitter.com/malware_traffic/status/1146503887215636480 http://31.44.184.201/fknmo/gate.php http://31.44.184.33 tonsruhatbab.com # Reference: https://twitter.com/James_inthe_box/status/1153326001155272704 forrolrestons.ru hersdintfortho.ru retredmuchwas.com # Reference: https://twitter.com/HerbieZimmerman/status/1166046889067896832 # Reference: https://app.any.run/tasks/6a8b1b54-320e-4cf8-aed0-0140714fdd10/ rolfikinme.ru sparherrestal.ru # Reference: https://twitter.com/K_N1kolenko/status/1096001487040331778 ratlittonrigh.com tofttoldboand.ru fortroweventlac.ru # Reference: https://unit42.paloaltonetworks.com/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/ betsuriin.com callereb.com evengsosandpa.ru felingdoar.ru gmailsign.info hecksafaor.com heheckbitont.ru hianingherla.com hihimbety.ru meketusebet.ru mianingrabted.ru moatleftbet.com mopejusron.ru muchcocaugh.com ningtoparec.ru nodosandar.com ritbeugin.ru rutithegde.ru surofonot.ru uldintoldhin.com unjustotor.com wassuseidund.ru # Reference: https://twitter.com/JayTHL/status/1179794844262305793 # Reference: https://app.any.run/tasks/0e56d1f8-8606-42d1-8951-88e4d134981b/ csinashville.com spausence.com # Reference: https://twitter.com/JayTHL/status/1179799689341886464 cowandchickens.com chateaumorritt.ca thegbar.net thegbars.us thegbars.net fedtoner.com # Reference: https://twitter.com/JayTHL/status/1179796029425754112 knoweent.ru wortionce.ru # Reference: https://twitter.com/K_N1kolenko/status/1182244055293599744 compatime.ru mandanoter.ru warlarvars.com # Reference: https://twitter.com/malware_traffic/status/1182407518611529728 avantusthea.com cornbeijnvoxin.com # Reference: https://twitter.com/K_N1kolenko/status/1183657536588865536 branderryadhe.ru caputenedif.ru # Reference: https://pastebin.com/HLnQT4qy adu0.xyz asfpindia.org austinhcg.com bigsunshinebooks.com brydenstt.com dl-rw.com drewcanole.com episodez.online hygieneteam.nl pbssindia.in pflagakron.org talkshows.xyz yooball.com yourecovers.com cornbeijnvoxin.com digplaliatinte.ru dvdflowerrook.ru # Reference: https://twitter.com/wwp96/status/1184490107467788293 asfpindia.org pbssindia.in viplace.pt # Reference: https://pastebin.com/bJ4ynhDe afmichicago.org african-trips.com aftablarestan.ir alferdows.com cenovia.com euroteriage.com gotladyhope.ru januserfish.ru # Reference: https://pastebin.com/Q6aPDCDt boatattorney.com keramenzakt.com linglentelevox.ru mdistellerryck.ru # Reference: https://twitter.com/malware_traffic/status/1186885436397850624 # Reference: https://app.any.run/tasks/742165cc-6e00-4483-af5e-6c49ae53b976/ 31.44.184.160:8080 # Reference: https://twitter.com/K_N1kolenko/status/1187302956644929537 durestuasben.ru sagitecheadle.com vladiondul.ru # Reference: https://pastebin.com/bKwb2Yig pmk-55.ru # Reference: https://twitter.com/K_N1kolenko/status/1188729131523031040 penreleaplif.ru scangescangomu.ru wickawbarrysci.com # Reference: https://twitter.com/James_inthe_box/status/1188771146105147392 # Reference: https://app.any.run/tasks/de677fac-06c7-4c32-bd7a-05fc10cd5196/ blakejordan.com # Reference: https://pastebin.com/JY6StTeK youqu0.com # Reference: https://twitter.com/JAMESWT_MHT/status/1188837744568688640 pubarecaz.com # Reference: https://twitter.com/JayTHL/status/1189934275476492288 damcoservices.com # Reference: https://twitter.com/K_N1kolenko/status/1190903765005750272 selesesteq.ru thaverenta.ru wingritydet.com # Reference: https://pastebin.com/mWznRNAS 3dpixelstudio.co amtours.net bbhs.org.ng brighter-homes.com businessmarker.ro caddyhk.com # Reference: https://twitter.com/BurnerVice/status/1201269199764475904 cetotrumo.com krovsar.ru mamaboss.io page-store.ru # Reference: https://twitter.com/malware_traffic/status/1201602127300354054 ianfelton.info laticivue.com omni-groupllc.com # Reference: https://any.run/malware-trends/hancitor (Note: as seen on 2019-12-04) businessmarker.ro laadlifashionworld.com laticivue.com elesengrity.com beestunduras.com hismosedkaj.com huncribeen.com sageengineering.lk # Reference: https://pastebin.com/QBYe5kCA lardershe.ru thatimine.ru wintroperly.com # Reference: https://twitter.com/wwp96/status/1202642416098062336 harrietljones.com # Reference: https://twitter.com/malware_traffic/status/1202704333114150918 furnanadol.com # Reference: https://pastebin.com/qpuaEEun andalicur.ru lappoing.com theirchus.ru # Reference: barindice.ru lietarion.com legroaled.ru # Reference: https://twitter.com/James_inthe_box/status/1220036840192757762 cousidrebn.ru hourtschem.com thicatlies.ru # Reference: https://pastebin.com/raw/2cpkJrW5 rindicatle.ru tariroalz.com torssestih.ru # Reference: https://twitter.com/James_inthe_box/status/1221822109564858368 # Reference: https://www.virustotal.com/gui/domain/kovasrot.cz/relations # Reference: https://pastebin.com/UmYZ30eH diermedir.com kovasrot.cz ussismates.ru wernmicaz.ru # Reference: https://twitter.com/turduckencat/status/1222556491745570816 twereptale.com # Reference: https://pastebin.com/raw/3mpyeQPx charovalso.ru gengrasjeepram.com verectert.ru yaqeennews.96.lt # Reference: https://twitter.com/K_N1kolenko/status/1233366724357042176 dundrazach.com turumency.ru wappreraf.ru # Reference: https://twitter.com/K_N1kolenko/status/1238071539825860608 cludions.com othasidka.com thumbeks.com # Reference: https://isc.sans.edu/forums/diary/Hancitor+distributed+through+coronavirusthemed+malspam/25892/ # Reference: https://otx.alienvault.com/pulse/5e6a5ded0435e2c043e7e206 freetospeak.me # Reference: https://twitter.com/malware_traffic/status/1239629010377887746 bralibuda.com greferezud.com # Reference: https://www.virustotal.com/gui/file/12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b/detection primecaviar.com # Reference: https://twitter.com/JayTHL/status/1250274763479506945 clarityupstate.com # Reference: https://twitter.com/200_okay_/status/1250278567352532993 raihanchow.us/portfolio/tomcat1432u.php # Reference: https://twitter.com/malware_traffic/status/1250442899700891648 maktabiprezidentivmkb.tj/glstj/seawolf126.php # Reference: https://twitter.com/JayTHL/status/1250460683977834496 # Reference: https://www.virustotal.com/gui/ip-address/47.254.92.217/relations clarityupstate.com furcoatexchange.com furcoatliquidators.com furwholesaler.com re-fur-bished.com refurpose.com rentcoat.com rentmink.com rentminkcoat.com rentthecoat.com theminkcoat.com # Reference: https://twitter.com/DynamicAnalysis/status/1260275056644685824 afya.geefto.com cashforfurcoat.com # Reference: https://twitter.com/K_N1kolenko/status/1265580857944936455 nalinkrobej.ru restozaped.ru thozentaini.com fantavending.mobi/wp-content/themes/sketch-new/1 oxorobotic.com/wp-content/themes/sketch/1 fotobooth.at/wp-content/themes/sketch/1 amatheakids.com/wp-content/themes/sketch/1 wp.regalporn.com/wp-content/plugins/three-column-screen-layout/1 # Reference: https://twitter.com/James_inthe_box/status/1283511249817358341 schemeconnect.com sportbettingdubuque.com # Reference: https://app.any.run/tasks/07ce2b58-f619-4a3c-8232-b3a69a3233cb/ overnightfile.com # Generic heur trails /4/forum.php /6/forum.php /.well-known/ron.php /.well-known/rweaver732.php /123_123123.php /345_3429_34.php /342578_4378.php /34894385_4378.php /4234_32423.php /437843_347843.php /5787478_74.php /63943_54783.php /7834_2378.php /78435_347823.php /83922_543.php /852435_34859.php /89623_3247.php /admin/zaki.php /bdl/gate.php /dkywh9p/rick.php /fknmo/gate.php /glstj/seawolf126.php /ls/gate.php /ls5/forum.php /ls6/gate.php /plasma/gate.php /rglennn.php /rgovett.php /rhf26.php /rick.php /rickyv319.php /rigman43.php /rjohn10657.php /rjyoung007.php /rmdrinkwater.php /rmmurphy10.php /robbjorgensen.php /robby_hanshaw.php /robert.hicks.php /robert1325.php /roberto.rubbiani.php /robohip1.php /roger.ponniah.php /rogerpoitras7.php /rojas5439.php /roland.avignon.php /rolfanderson.php /rollntwist.php /ron_penfold.php /ronco9.php /rowantotal.php /roydsingh.php /rswmisc.php /rubencpa.php /rwhayne.php /ryanzeitler.php /sailnsadle.php /samurai40w.php /sasshm.php /sboles7.php /scooby6060.php /scottyw36.php /sd37667.php /seawolf126.php /senmotomajin.php /sfcw1.php /shark601.php /shellie.php /sherdian19.php /sheridanalan.php /shogin1.php /simonimp.php /sjj53.php /sjmod5.php /sjwhome.php /skovvaenget19.php /sl/gate.php /slamduncker.php /smittybar4.php /soberentexas.php /sophiagamble.php /soundm279.php /st.vanaaken.php /stefamherd.php /steve.heller.php /steveswanson22.php /storme.cosgrave.php /stormnz54.php /sullych43.php /t.carp.php /tankeukjf.php /tbcfix3.php /tbconsulting.php /technoemporium.php /terisitababe.php /terrybailey2009.php /thehornet1.php /thetafly.php /thomasautomotive.php /thomascarterpt.php /thong.5.php /timbrennan29.php /timeflyz97.php /tj.016677.php /tjholden.php /tjubell.php /tmoen3.php /tomcat1432u.php /tomgosse.php /tommino.php /tonynguyen854.php /tonypkeeling.php /topsprop1.php /ttregino.php /tss9999.php /tstanis5.php /vancewl.php /vmpereira.php /walli_sw.php /warren.php /wayneo125.php /waynerice816.php /wbasser.php /wbeliz2002.php /wbferguson.php /wco3520.php /wcwjr.php /wdavidmajor.php /wdepietro.php /weberdental.php /welch9172.php /wesleysebesta.php /westharbour.php /wggoep.php /wghoward.php /wheatstiger.php /whitej58.php /wildpitch.php /williamhcondon.php /willid5223.php /willieotero13.php /win.harris.php /winterof63.php /wjtconsult.php /wnothhelfer.php /woodcock_jack.php /wretchedchild5.php /wschnei106.php /wsr3214.php /wtomnelson.php /wturnermi.php /wwatone.php /wyckoff1012.php /x24spike.php /yazanmoussa.php /ykootss.php /yngwll57.php /yoshihito.shibahata.php /ytyniec.php /yuki_chan2004jp.php /ywingitt.php /zab4ksnk.php /zapoy/gate.php /zecoimbra1951.php /zeke112.php /zenrchi.php /zubairseiendom.php