Malspam Leads to Hancitor, Downloads pm.dll (Pony) and inst.exe (Vawtrak)


  • – ledintutat[.]com/ls5/gate.php – Hancitor C2
  • – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony
  • – ledintutat[.]com/zapoy/gate.php – Pony C2
  • – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak
  • – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC)



IDS Events:



SHA256: d84b585409fb4f538cde666cefc7980ba3a927dc292dfb391bdcd8765d4ce0c8
File name: contract_54262.doc

SHA256: 420b028db779bdee1355b568fd1757a579505df41a1f3f620954a34d2b49a926
File name: hancitor.dll

SHA256: 903345e2ccc6c0045de61d40c4c85dad625274b0cc7a4fc4e0c3813811e44495
File name: pm.dll

SHA256: 8aa3b69e95fdde655a29a889fcb6710b6ef23936a0762961aabc0d00e19e4e26
File name: BNC967.tmp.exe and DekJanv.exe

Infection Chain:

The user received this email from


The subject of the email is “legally binding contract” and it contains a .doc file called “contract_54262.doc”. The email is supposedly coming from somebody within Gullixson and Kennedy LLP. The threat actors use social engineering to entice the user into opening up the attachment. You can see that they even threaten legal action if no action is taken within 48 hours.

The user would then open the attachment (contract_54262.doc) and be presented with this:


The user is then social engineered once more as they are told that they must click “Enable Editing” and then “Enable Content”. Once they do that the host makes GET requests for pm.dll and BNC967.tmp.exe.

Here you can see the GET request for pm.dll and then we can see some interesting strings in the TCP stream, including some hard-coded C2s (circled in red):


Here is the GET for the Vawtrak payload:


Here are some pictures of the payload dropped on the system as well as a registry key created for persistence:

Here we can see some Vawtrak C2 traffic via (


I would recommend blocking all the IPs listed at the top of this blog post. Also, I want to give a shout-out to @Techhelplistcom who first uploaded these files to VT. He does great work! You can see a summary of his comments below in red (I’ve included all the additional IOCs he found) or you can click on the hash links above to see them for yourself:

Hancitor in .doc and injected to memory by .doc
Hancitor C2s:

Pony Downloaded via Hancitor C2 Instructions:

Pony C2s:

Vawtrak C2s:
hxxp:// resolves to

taryaznl[.]ru resolves to

Also, be sure to check out his blog at

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: