2021-04-15 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD: 1504_wtpc
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Service
13. You got notification from DocuSign Signature Service
14. You received invoice from DocuSign Electronic Signature Service
15. You received invoice from DocuSign Service
16. You received invoice from DocuSign Signature Service
17. You received notification from DocuSign Electronic Service
18. You received notification from DocuSign Electronic Signature Service
19. You received notification from DocuSign Service
20. You received notification from DocuSign Signature Service
21.  
22. SENDERS OBSERVED
23. agjyg@aw-engineering.com
24. awe@aw-engineering.com
25. beyur@aw-engineering.com
26. ccoisy@aw-engineering.com
27. deowtna@aw-engineering.com
28. dy@aw-engineering.com
29. dylfo@aw-engineering.com
30. ebuuwyp@aw-engineering.com
31. emyi@aw-engineering.com
32. enivyzl@aw-engineering.com
33. ezo@aw-engineering.com
34. fytut@aw-engineering.com
35. gageve@aw-engineering.com
36. gooiaxu@aw-engineering.com
37. iacqbop@aw-engineering.com
38. ip@aw-engineering.com
39. iuna@aw-engineering.com
40. j@aw-engineering.com
41. jajoi@aw-engineering.com
42. ji@aw-engineering.com
43. jyivew@aw-engineering.com
44. la@aw-engineering.com
45. leceje@aw-engineering.com
46. lihjaof@aw-engineering.com
47. mooz@aw-engineering.com
48. n@aw-engineering.com
49. ohzxzug@aw-engineering.com
50. oqi@aw-engineering.com
51. ozyzedh@aw-engineering.com
52. pivuli@aw-engineering.com
53. qodyzxy@aw-engineering.com
54. r@aw-engineering.com
55. rg@aw-engineering.com
56. swa@aw-engineering.com
57. syeiduz@aw-engineering.com
58. ty@aw-engineering.com
59. uevqouh@aw-engineering.com
60. uop@aw-engineering.com
61. vmerny@aw-engineering.com
62. wifun@aw-engineering.com
63. xijuv@aw-engineering.com
64. xkuchaa@aw-engineering.com
65. yqixugi@aw-engineering.com
66. ysyurya@aw-engineering.com
67. zagsi@aw-engineering.com
68. zte@aw-engineering.com
69.  
70. MALDOC LANDING PAGE URLS
71. https://docs.google.com/document/d/e/2PACX-1vQhiAF5gQNv28y45nwniqKxavLe1Mvpdao5rnqtoPWyX83z9g9zZlH7t1oVDfV2rALM2LC8_hzcMFpr/pub
72. https://docs.google.com/document/d/e/2PACX-1vQJP4BvT8ibhh9kmz8EGNP0AkTu1brlpLja1hIyWchaXhUOQcIOPYFb5iGPtC0OL-VOiG_svp2ad-S-/pub
73. https://docs.google.com/document/d/e/2PACX-1vQMQnFvEkafqeq1mnrLv0qhssdfGAOTJRsMDrIglcic7mw06MT0RjlvIh5yc9L-P8RYMjKhU3YB-Idx/pub
74. https://docs.google.com/document/d/e/2PACX-1vQqpmaKzFUmKXIprKjopTsfipiv-565kIoagGODhIEKUoqXiiE_cazGCp5VmX6emW4Kn57SoTj1Puh8/pub
75. https://docs.google.com/document/d/e/2PACX-1vQrC8GXtRyfmEGp4oafst9zTA8E6HuQd3w2EEipYO9UixUQn8CoAuuvqH2fHY9Av1JX6iwUyvZXhIIk/pub
76. https://docs.google.com/document/d/e/2PACX-1vQYAgs-EMLDWqPlZxiLam8gHKkn_5s5yoycAIq8SwlXw1YJxoOcnZVketUVeiLYwkMof-9MK0CCQC4Z/pub
77. https://docs.google.com/document/d/e/2PACX-1vQYvPn0DGNyEVCNPHhFIp2ECH5yWHtLgpjsYHvaewAm4bLI9ic02-K6ZnKh0ZrDoFjpdNagTSNDHeS6/pub
78. https://docs.google.com/document/d/e/2PACX-1vQzGwWM78Cmg9TDWVWMjIwTWQ8TrcT9qCA9zE-NBq8uY3F8plsFHrw3qDkxR-du94sqaKcvT5VE-l8d/pub
79. https://docs.google.com/document/d/e/2PACX-1vR5Sumn6eg4qfv_UGyg3v9YFdiNab8UX8IfNLKM55T9wtOFl5Torn-syATH8tgZ1x0LdsBkNYXUm2nE/pub
80. https://docs.google.com/document/d/e/2PACX-1vR77nL3sONpxkMPl5sQDkFDypI2jBee6FQIH1lUP7jsufSfHhMq18foSdFsETf0OVPrwQhrEodIClat/pub
81. https://docs.google.com/document/d/e/2PACX-1vRB4uyo_-sExlmgIt09jJFUObhLRB0A9V2lsvVwVjQJU_CUfoDu7wum4MYx-DtQKvC2LGbXGzuhcARA/pub
82. https://docs.google.com/document/d/e/2PACX-1vRe2XXcQC3oyBXs2tpYAgVSyVgjVo5_hN5NC-2k3rDBTiNZSkV8V67he05k8KwIAUEYwRW_6ZMXRtL1/pub
83. https://docs.google.com/document/d/e/2PACX-1vRf0jjCjquvWKXPMPUkJ8db9crsHmUdjBiuvmWxLO4m1zsJSinDmQMzpZYvLHBbEmCZVF53qy9ovL6N/pub
84. https://docs.google.com/document/d/e/2PACX-1vRglM4LT6gGUwBzivoe0NgHO8C4KvuNIgOBJdj-2HaquDuhYKRJi-OXNKsSldpe4ZRQbQciye8DWmjh/pub
85. https://docs.google.com/document/d/e/2PACX-1vRHgs7PXe8lwdtgSpuY1711oF6sYr1Vj1Z4qAHCiVIUuoZ246z8hzwxSloFRil7jx3BZdO23sojz1jo/pub
86. https://docs.google.com/document/d/e/2PACX-1vRKTlMr7LA3vGp-u9eErgY9jJSd0IwwGTxxQt4YlnxcVgwBepdjORDsb11jfp32G--Tf86rPvtNLBd9/pub
87. https://docs.google.com/document/d/e/2PACX-1vRnnwDHYt3sLU40A0px5JI8RYbAjiOp0ppkt0BWw8roKIKzhGh2cmLcR39pZ9eMa0wWwdgH0lw3_HHh/pub
88. https://docs.google.com/document/d/e/2PACX-1vRqJzsiUOqO7cuGbsKk1VGGx40rMxDNaLjJmTXyHxkao1bDn-zIc0hnH55MrGKv3XlbR3IJGHbW88LS/pub
89. https://docs.google.com/document/d/e/2PACX-1vRs_Ln6CQgoce-Gf_aS3XFpsT1THP8ih_0cdyxLj8oT6vPXlg_DVEN-fGQCmlDqpmzFwUFKaShfbUF9/pub
90. https://docs.google.com/document/d/e/2PACX-1vRUW3XNlW2MlbTlXK-sLdsxlhlhYSdXLYTjbTG7j8EG3L_10zhrGL3ehGvbh6q6PCD5iJKrbwDEPKJW/pub
91. https://docs.google.com/document/d/e/2PACX-1vRXybvqef5r5F4pZzWT2G6puEZA9eiv8sC44fkJKA8kzWldzTXoRVdeE53RGktGz-N38rMqqWMlhgM8/pub
92. https://docs.google.com/document/d/e/2PACX-1vSamCreZYOgAmveo04q8gu15PIzA5vT_xwy57ThaXpjteaioQeKrzkx5rAdRNbUstDbsO2NGtQY3Jeg/pub
93. https://docs.google.com/document/d/e/2PACX-1vSGar165um7mu1tBLjT_edfZFBv8RYzN5CLto2374tGN7OQiC8uMB4OKuaZa_nFTI1Sp6qIK3FSOX7B/pub
94. https://docs.google.com/document/d/e/2PACX-1vSh1NaJ6pt-Pmtv3qLAQ-1d8BxfU1JwxrS1UH3-eou8LPxAdfhPisJroQ0J6sPPMNJLuPawvC4Hai9g/pub
95. https://docs.google.com/document/d/e/2PACX-1vSq_xgjB1aRZlhS3bcrAbTD6Tc0WLwK5tWU9CbMEmRlg8fsW8Y0tuy5EZjNdAYKtKlJ6d6Gkdq2qc8-/pub
96. https://docs.google.com/document/d/e/2PACX-1vSsRZVi4F6AaVMKGDbcxfOmbuSwYPiOFZXKNUzY5qWwEBZex3ZGwm8y0sYePyiuqCZgjlOAAjm5HKxp/pub
97. https://docs.google.com/document/d/e/2PACX-1vSzWS8cxL6m40c1RxW7QraFYIglzCfIPzciw4HCMpokLg0egJCd8w1kX4A4ZNpkP9woQCnrR7O7eaE2/pub
98. https://docs.google.com/document/d/e/2PACX-1vT1w5hUAG8DDGsd8X2vF42bDI7cTGw-6uImVbmotRsXI0b_6pAwPV9K1fpHAQop5PaIZTlnm3MKMcBc/pub
99. https://docs.google.com/document/d/e/2PACX-1vT3q4T9OcJJ8QsdmWphqZooWxQ51CTxMbeRIB7_YqoZw2nmf0uWmERssEuXCvqni1FjaCHXT3_1KhAu/pub
100. https://docs.google.com/document/d/e/2PACX-1vTB0f227l4EqmHur6dLh_0O2dF0MPVetT5XWt3Msb-bMWXhY53HngKJYFM3w5DlN3KFaFOuQMHMmZTi/pub
101. https://docs.google.com/document/d/e/2PACX-1vTEJ3_yZK2vLbCixsjT9nAvMhx2FFvz7ymybEBCmNR0uO5LyDzwUSASbjcz4no5i04KKeXSc-fxiXi0/pub
102. https://docs.google.com/document/d/e/2PACX-1vTqEvrVNoqjCcChavXFlufls5Tqg23ym_JeMgfJLaho9oOmEIbHPI6adV-hV6OHhzGdZIumf4QVbyrl/pub
103. https://docs.google.com/document/d/e/2PACX-1vTvHFYMJc548uyEjxM8jmoR4f5Del3Uv1UHJqjrGpRfCqTQ1jdBGS6YwcipZ0Z123KnRpU2ChPtkjK8/pub
104. https://docs.google.com/document/d/e/2PACX-1vTzsg8X6kU2mjyDeiy38mbNPmJyqucNoKBPUI1ZkUV5WLBClhMmGOlD0k_P7DE-ekV5rR6a6xBtVgxh/pub
105.  
106. MALDOC DISTRIBUTION URLS
107. http://lormano.com/aproval.php
108. https://forms.saurashtrauniversity.edu/photomask.php
109. https://api.cdmvertical.com/augmentability.php
110. https://sieuthiacc.vn/indeclinable.php
111. https://forms.saurashtrauniversity.edu/believing.php
112.  
113. cdmvertical.com
114. lormano.com
115. saurashtrauniversity.edu
116. sieuthiacc.vn
117.  
118. HANCITOR MALDOC FILE HASHES
119. d612619487b653f2df244a7394e9fa46
120.  
121. HANCITOR PAYLOAD FILE HASH
122. edge.dll
123. be8f099ce03e4e031f8263a3656812de
124.  
125. HANCITOR C2
126. http://regatimmish.com/8/forum.php
127. http://wilewgracted.ru/8/forum.php
128. http://thimolkanivind.ru/8/forum.php
129.  
130. COBALT STRIKE PAYLOAD URLS
131. http://45des29.ru/1504.bin
132. http://45des29.ru/1504s.bin
133.  
134. COBALT STRIKE STAGER FILE HASHES
135. 1504.bin
136. 5fa38110e78a8c71ee52e6990e967322
137.  
138. 1504s.bin
139. 29f9fbe86100a927a879990d838cd0a3
140.  
141. COBALT STRIKE BEACON
142. http://173.199.115.116/QOEw
143.  
144. COBALT STRIKE C2
145. http://173.199.115.116/pixel.gif