This will be a line by line static analysis of the hancitor malware . I will be using Ghidra and IDA . I am using Ghidra because i dont have IDA decompiler and I am using IDA because I feel like IDA does it better when it comes to assembly . So I have the hancitor DLL . After opening the DLL in IDA and Ghidra I see that IDA has two exports and Ghidra has one . I dont know what the reason is . If any of you guys has any idea please do tell me . That will be helpful . If you go into IDA and see that both exported functions call the same function
It first checks that if an initialized variable is zero . If it is it calls a function . The value of that variable is already defined zero
In the function you can see that the malware author defined some character pointers and it looked like he used malloc to get some heap space .
Then he calls a function with the pointer to the heap buffer , the size of the allocated buffer and address of an integer . Lets go deeper into the function
First the malware gets the version by calling the GetVersion() . There are no version specific condition checks . Then it calls a function . Since i have no idea about the function i will rename it to some_funtion
The some_function has a function call looking line called CONCAT44.As far i know its not a library function . According to stack exchange it means that ghidra is concatenating 4 bytes with 4 bytes . Here is the link. https://reverseengineering.stackexchange.com/questions/22274/concat22-in-ghidra-decompiler/22275 . But i am going to see it myself in assembly what it does .
That function was just checking if any of the defined variable is equal to zero . If its equal to zero . It jumped to another function else it just loads the variables to rax and rdx and returns . I have no idea what that function’s purpose is . Lets move into the next function
This function gets the NETBIOS name into a string array . It returns 1 or 0 . 1 means all OK . 0 means something is wrong . There is also another function that does something . I am going to dive deep . I renamed the function to unknown function .
In this function there is a function that takes an argument “explorer.exe” . It returns the pid of the explorer.exe process . Then it calls another function that takes the pid of the process “explorer.exe” . This function takes the pid , two string arrays and an integer that’s the size of both the string array which is 260 . As per my analysis this function gets the domain name and the username and appends both the strings something like this “domain_name\\user_name . Thats the end of unknown function . After backtracking to the getcomputername function i found out that the function appends the netbios string with the previous appended string .
I think its enough for today
