Win32/TrojanDownloader.Hancitor [Threat Name] go to Threat

Win32/TrojanDownloader.Hancitor.B [Threat Variant Name]

Category trojan
Size 116224 B
Detection created Oct 01, 2014
Detection database version 10495
Aliases Trojan.Win32.Yakes.gqqd (Kaspersky)
  Trojan:Win32/Chanitor.A (Microsoft)
Short description

Win32/TrojanDownloader.Hancitor.B is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Windows\­winlogin.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winlogin" = "%appdata%\­Windows\­winlogin.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winlogin" = "%appdata%\­Windows\­winlogin.exe"

This causes the trojan to be executed on every system start.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The following information is collected:

  • computer name
  • external IP address of the network device

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself

The trojan may create the following files:

  • %temp%\­___%variable%.exe

The trojan may execute the following commands:

  • cmd /D /R type "%appdata%\­Windows\­winlogin.exe" > ___ && move /Y ___ "%appdata%\­Windows\­winlogin.exe"
  • cmd /D /R ping -n 10 localhost && del "%malwarefilepath%" && start /B "" "%appdata%\­Windows\­winlogin.exe" && exit
  • cmd /D /R start /B "" "%temp%\­___%variable%.exe" && exit
  • cmd /D /R ping -n 10 localhost && del "%malwarefilepath%" && exit

A string with variable content is used instead of %variable% .


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components\­05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\­cfg]

Please enable Javascript to ensure correct displaying of this content and refresh this page.