2021-04-15 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD: 1504_wtpc
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Service
13. You got notification from DocuSign Signature Service
14. You received invoice from DocuSign Electronic Signature Service
15. You received invoice from DocuSign Service
16. You received invoice from DocuSign Signature Service
17. You received notification from DocuSign Electronic Service
18. You received notification from DocuSign Electronic Signature Service
19. You received notification from DocuSign Service
20. You received notification from DocuSign Signature Service
21.  
22. SENDERS OBSERVED
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63. [email protected]
64. [email protected]
65. [email protected]
66. [email protected]
67. [email protected]
68. [email protected]
69.  
70. MALDOC LANDING PAGE URLS
71. https://docs.google.com/document/d/e/2PACX-1vQhiAF5gQNv28y45nwniqKxavLe1Mvpdao5rnqtoPWyX83z9g9zZlH7t1oVDfV2rALM2LC8_hzcMFpr/pub
72. https://docs.google.com/document/d/e/2PACX-1vQJP4BvT8ibhh9kmz8EGNP0AkTu1brlpLja1hIyWchaXhUOQcIOPYFb5iGPtC0OL-VOiG_svp2ad-S-/pub
73. https://docs.google.com/document/d/e/2PACX-1vQMQnFvEkafqeq1mnrLv0qhssdfGAOTJRsMDrIglcic7mw06MT0RjlvIh5yc9L-P8RYMjKhU3YB-Idx/pub
74. https://docs.google.com/document/d/e/2PACX-1vQqpmaKzFUmKXIprKjopTsfipiv-565kIoagGODhIEKUoqXiiE_cazGCp5VmX6emW4Kn57SoTj1Puh8/pub
75. https://docs.google.com/document/d/e/2PACX-1vQrC8GXtRyfmEGp4oafst9zTA8E6HuQd3w2EEipYO9UixUQn8CoAuuvqH2fHY9Av1JX6iwUyvZXhIIk/pub
76. https://docs.google.com/document/d/e/2PACX-1vQYAgs-EMLDWqPlZxiLam8gHKkn_5s5yoycAIq8SwlXw1YJxoOcnZVketUVeiLYwkMof-9MK0CCQC4Z/pub
77. https://docs.google.com/document/d/e/2PACX-1vQYvPn0DGNyEVCNPHhFIp2ECH5yWHtLgpjsYHvaewAm4bLI9ic02-K6ZnKh0ZrDoFjpdNagTSNDHeS6/pub
78. https://docs.google.com/document/d/e/2PACX-1vQzGwWM78Cmg9TDWVWMjIwTWQ8TrcT9qCA9zE-NBq8uY3F8plsFHrw3qDkxR-du94sqaKcvT5VE-l8d/pub
79. https://docs.google.com/document/d/e/2PACX-1vR5Sumn6eg4qfv_UGyg3v9YFdiNab8UX8IfNLKM55T9wtOFl5Torn-syATH8tgZ1x0LdsBkNYXUm2nE/pub
80. https://docs.google.com/document/d/e/2PACX-1vR77nL3sONpxkMPl5sQDkFDypI2jBee6FQIH1lUP7jsufSfHhMq18foSdFsETf0OVPrwQhrEodIClat/pub
81. https://docs.google.com/document/d/e/2PACX-1vRB4uyo_-sExlmgIt09jJFUObhLRB0A9V2lsvVwVjQJU_CUfoDu7wum4MYx-DtQKvC2LGbXGzuhcARA/pub
82. https://docs.google.com/document/d/e/2PACX-1vRe2XXcQC3oyBXs2tpYAgVSyVgjVo5_hN5NC-2k3rDBTiNZSkV8V67he05k8KwIAUEYwRW_6ZMXRtL1/pub
83. https://docs.google.com/document/d/e/2PACX-1vRf0jjCjquvWKXPMPUkJ8db9crsHmUdjBiuvmWxLO4m1zsJSinDmQMzpZYvLHBbEmCZVF53qy9ovL6N/pub
84. https://docs.google.com/document/d/e/2PACX-1vRglM4LT6gGUwBzivoe0NgHO8C4KvuNIgOBJdj-2HaquDuhYKRJi-OXNKsSldpe4ZRQbQciye8DWmjh/pub
85. https://docs.google.com/document/d/e/2PACX-1vRHgs7PXe8lwdtgSpuY1711oF6sYr1Vj1Z4qAHCiVIUuoZ246z8hzwxSloFRil7jx3BZdO23sojz1jo/pub
86. https://docs.google.com/document/d/e/2PACX-1vRKTlMr7LA3vGp-u9eErgY9jJSd0IwwGTxxQt4YlnxcVgwBepdjORDsb11jfp32G--Tf86rPvtNLBd9/pub
87. https://docs.google.com/document/d/e/2PACX-1vRnnwDHYt3sLU40A0px5JI8RYbAjiOp0ppkt0BWw8roKIKzhGh2cmLcR39pZ9eMa0wWwdgH0lw3_HHh/pub
88. https://docs.google.com/document/d/e/2PACX-1vRqJzsiUOqO7cuGbsKk1VGGx40rMxDNaLjJmTXyHxkao1bDn-zIc0hnH55MrGKv3XlbR3IJGHbW88LS/pub
89. https://docs.google.com/document/d/e/2PACX-1vRs_Ln6CQgoce-Gf_aS3XFpsT1THP8ih_0cdyxLj8oT6vPXlg_DVEN-fGQCmlDqpmzFwUFKaShfbUF9/pub
90. https://docs.google.com/document/d/e/2PACX-1vRUW3XNlW2MlbTlXK-sLdsxlhlhYSdXLYTjbTG7j8EG3L_10zhrGL3ehGvbh6q6PCD5iJKrbwDEPKJW/pub
91. https://docs.google.com/document/d/e/2PACX-1vRXybvqef5r5F4pZzWT2G6puEZA9eiv8sC44fkJKA8kzWldzTXoRVdeE53RGktGz-N38rMqqWMlhgM8/pub
92. https://docs.google.com/document/d/e/2PACX-1vSamCreZYOgAmveo04q8gu15PIzA5vT_xwy57ThaXpjteaioQeKrzkx5rAdRNbUstDbsO2NGtQY3Jeg/pub
93. https://docs.google.com/document/d/e/2PACX-1vSGar165um7mu1tBLjT_edfZFBv8RYzN5CLto2374tGN7OQiC8uMB4OKuaZa_nFTI1Sp6qIK3FSOX7B/pub
94. https://docs.google.com/document/d/e/2PACX-1vSh1NaJ6pt-Pmtv3qLAQ-1d8BxfU1JwxrS1UH3-eou8LPxAdfhPisJroQ0J6sPPMNJLuPawvC4Hai9g/pub
95. https://docs.google.com/document/d/e/2PACX-1vSq_xgjB1aRZlhS3bcrAbTD6Tc0WLwK5tWU9CbMEmRlg8fsW8Y0tuy5EZjNdAYKtKlJ6d6Gkdq2qc8-/pub
96. https://docs.google.com/document/d/e/2PACX-1vSsRZVi4F6AaVMKGDbcxfOmbuSwYPiOFZXKNUzY5qWwEBZex3ZGwm8y0sYePyiuqCZgjlOAAjm5HKxp/pub
97. https://docs.google.com/document/d/e/2PACX-1vSzWS8cxL6m40c1RxW7QraFYIglzCfIPzciw4HCMpokLg0egJCd8w1kX4A4ZNpkP9woQCnrR7O7eaE2/pub
98. https://docs.google.com/document/d/e/2PACX-1vT1w5hUAG8DDGsd8X2vF42bDI7cTGw-6uImVbmotRsXI0b_6pAwPV9K1fpHAQop5PaIZTlnm3MKMcBc/pub
99. https://docs.google.com/document/d/e/2PACX-1vT3q4T9OcJJ8QsdmWphqZooWxQ51CTxMbeRIB7_YqoZw2nmf0uWmERssEuXCvqni1FjaCHXT3_1KhAu/pub
100. https://docs.google.com/document/d/e/2PACX-1vTB0f227l4EqmHur6dLh_0O2dF0MPVetT5XWt3Msb-bMWXhY53HngKJYFM3w5DlN3KFaFOuQMHMmZTi/pub
101. https://docs.google.com/document/d/e/2PACX-1vTEJ3_yZK2vLbCixsjT9nAvMhx2FFvz7ymybEBCmNR0uO5LyDzwUSASbjcz4no5i04KKeXSc-fxiXi0/pub
102. https://docs.google.com/document/d/e/2PACX-1vTqEvrVNoqjCcChavXFlufls5Tqg23ym_JeMgfJLaho9oOmEIbHPI6adV-hV6OHhzGdZIumf4QVbyrl/pub
103. https://docs.google.com/document/d/e/2PACX-1vTvHFYMJc548uyEjxM8jmoR4f5Del3Uv1UHJqjrGpRfCqTQ1jdBGS6YwcipZ0Z123KnRpU2ChPtkjK8/pub
104. https://docs.google.com/document/d/e/2PACX-1vTzsg8X6kU2mjyDeiy38mbNPmJyqucNoKBPUI1ZkUV5WLBClhMmGOlD0k_P7DE-ekV5rR6a6xBtVgxh/pub
105.  
106. MALDOC DISTRIBUTION URLS
107. http://lormano.com/aproval.php
108. https://forms.saurashtrauniversity.edu/photomask.php
109. https://api.cdmvertical.com/augmentability.php
110. https://sieuthiacc.vn/indeclinable.php
111. https://forms.saurashtrauniversity.edu/believing.php
112.  
113. cdmvertical.com
114. lormano.com
115. saurashtrauniversity.edu
116. sieuthiacc.vn
117.  
118. HANCITOR MALDOC FILE HASHES
119. d612619487b653f2df244a7394e9fa46
120.  
121. HANCITOR PAYLOAD FILE HASH
122. edge.dll
123. be8f099ce03e4e031f8263a3656812de
124.  
125. HANCITOR C2
126. http://regatimmish.com/8/forum.php
127. http://wilewgracted.ru/8/forum.php
128. http://thimolkanivind.ru/8/forum.php
129.  
130. COBALT STRIKE PAYLOAD URLS
131. http://45des29.ru/1504.bin
132. http://45des29.ru/1504s.bin
133.  
134. COBALT STRIKE STAGER FILE HASHES
135. 1504.bin
136. 5fa38110e78a8c71ee52e6990e967322
137.  
138. 1504s.bin
139. 29f9fbe86100a927a879990d838cd0a3
140.  
141. COBALT STRIKE BEACON
142. http://173.199.115.116/QOEw
143.  
144. COBALT STRIKE C2
145. http://173.199.115.116/pixel.gif