Skip to content
/ hanconfig Public

Static configuration extractor for Hancitor Loader

dissectingmalwa.re

License

GPL-3.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

f0wl/hanconfig

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
example-config
example-config
 
 
img
img
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
hanconfig.go
hanconfig.go
 
 

Repository files navigation

Go Report Card

hanConfig

hanConfig is a static configuration extractor implemented in Golang for the Hancitor Loader (targeting Microsoft Windows, Malpedia). By default the script will print the extracted information to stdout (verbose output can be enabled with the -v flag). It is also capable of dumping the malware configuration to disk as a JSON file with the -j flag.

Usage

go run hanconfig.go [-j | -v] path/to/unpacked_hancitor.dll

Screenshots

The script itself, running in verbose mode and with JSON output enabled:

A JSON file with the extracted configuration:

Testing

This configuration extractor has been tested successfully with the following samples:

SHA-256 Sample
ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0 Malshare
f4f18fd34162fda6ce4bef18228de8c1bdc1c5285abaf2fa73c1ccbe087a34dd Malshare

If you encounter an error with HanConfig, please file a bug report via an issue. Contributions are always welcome :)

About

Static configuration extractor for Hancitor Loader

dissectingmalwa.re

Topics

reverse-engineering malware-analysis config-extractor

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

Initial Release Latest
Nov 28, 2021

Languages