Win32/TrojanDownloader.Hancitor [Threat Name] go to Threat

Win32/TrojanDownloader.Hancitor.B [Threat Variant Name]

Category	trojan
Size	116224 B
Aliases	Trojan.Win32.Yakes.gqqd (Kaspersky)
	Trojan:Win32/Chanitor.A (Microsoft)

Win32/TrojanDownloader.Hancitor.B is a trojan which tries to download other malware from the Internet.

When executed, the trojan copies itself into the following location:

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "winlogin" = "%appdata%\Windows\winlogin.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "winlogin" = "%appdata%\Windows\winlogin.exe"

This causes the trojan to be executed on every system start.

After the installation is complete, the trojan deletes the original executable file.

The following information is collected:

The trojan attempts to send gathered information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

The trojan may create the following files:

The trojan may execute the following commands:

cmd /D /R type "%appdata%\Windows\winlogin.exe" > ___ && move /Y ___ "%appdata%\Windows\winlogin.exe"
cmd /D /R ping -n 10 localhost && del "%malwarefilepath%" && start /B "" "%appdata%\Windows\winlogin.exe" && exit
cmd /D /R start /B "" "%temp%\___%variable%.exe" && exit
cmd /D /R ping -n 10 localhost && del "%malwarefilepath%" && exit

A string with variable content is used instead of %variable% .

The trojan keeps various information in the following Registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg]