Win32/TrojanDownloader.Hancitor [Threat Name] go to Threat

Win32/TrojanDownloader.Hancitor.A [Threat Variant Name]

Category trojan
Size 111104 B
Detection created Sep 19, 2014
Detection database version 10444
Aliases TR/Keilcha.lgb (Avira)
Short description

Win32/TrojanDownloader.Hancitor.A is a trojan which tries to download other malware from the Internet.


The trojan may create copies of itself using the following filenames:

  • %temp%\­winlogin.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winlogin" = "%temp%\­winlogin.exe"
    • "winlogin" = "%temp%\­%originalfilename%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winlogin" = "%temp%\­winlogin.exe"
    • "winlogin" = "%temp%\­%originalfilename%"

This causes the trojan to be executed on every system start.

Information stealing

The following information is collected:

  • computer name
  • external IP address of the network device

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself

The trojan may create the following files:

  • %temp%\­___%variable%.exe

A string with variable content is used instead of %variable% .

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components\­05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\­cfg]

Please enable Javascript to ensure correct displaying of this content and refresh this page.