2022-03-21 (MONDAY) - HANCITOR (CHANITOR/MAN1/MOSKALVZAPOE/TA511) WITH COBALT STRIKE & MARS STEALER

NOTICE:

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Flow chart for this infection.

 


Shown above:  Screen shot of the downloaded Hancitor Word document.

 


Shown above:  Password-protected Word doc dropped after enabling macros on Hancitor Word doc.

 


Shown above:  .cab file created by password-protected Word doc and extracted Hancitor DLL.

 


Shown above:  Follow-up malware Mars Stealer temporarily saved to the infected Windows host.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.