2020-11-10 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. SUBJECTS OBSERVED
4. You got invoice from DocuSign Electronic Service
5. You got invoice from DocuSign Electronic Signature Service
6. You got invoice from DocuSign Service
7. You got invoice from DocuSign Signature Service
8. You got notification from DocuSign Electronic Service
9. You got notification from DocuSign Electronic Signature Service
10. You got notification from DocuSign Service
11. You got notification from DocuSign Signature Service
12. You received invoice from DocuSign Electronic Service
13. You received invoice from DocuSign Service
14. You received invoice from DocuSign Signature Service
15. You received notification from DocuSign Electronic Service
16. You received notification from DocuSign Electronic Signature Service
17. You received notification from DocuSign Service
18. You received notification from DocuSign Signature Service
19.  
20. SENDERS OBSERVED
21. b@ronniesabb.com
22. ciemx@ronniesabb.com
23. d@ronniesabb.com
24. daiexvu@ronniesabb.com
25. edpz@ronniesabb.com
26. eigmeha@ronniesabb.com
27. eo@ronniesabb.com
28. epifu@ronniesabb.com
29. ezaqnfb@ronniesabb.com
30. fwevewe@ronniesabb.com
31. fyrornh@ronniesabb.com
32. hbyjon@ronniesabb.com
33. iugataw@ronniesabb.com
34. jyfonih@ronniesabb.com
35. kebs@ronniesabb.com
36. laijiog@ronniesabb.com
37. lho@ronniesabb.com
38. mjoea@ronniesabb.com
39. ni@ronniesabb.com
40. nkewu@ronniesabb.com
41. omb@ronniesabb.com
42. ooocx@ronniesabb.com
43. otofyy@ronniesabb.com
44. poyda@ronniesabb.com
45. qebweu@ronniesabb.com
46. r@ronniesabb.com
47. suizad@ronniesabb.com
48. toleys@ronniesabb.com
49. touokk@ronniesabb.com
50. uaiin@ronniesabb.com
51. uyswelu@ronniesabb.com
52. vanoark@ronniesabb.com
53. vegaq@ronniesabb.com
54. vhmahvf@ronniesabb.com
55. vuyva@ronniesabb.com
56. wid@ronniesabb.com
57. winiiag@ronniesabb.com
58. xizoh@ronniesabb.com
59. xtiwicj@ronniesabb.com
60. xyhye@ronniesabb.com
61.  
62. MALDOC PROXY URLS
63. https://docs.google.com/document/d/e/2PACX-1vQnoRr4CxkhGNNtYmXL47etHQ8s5SWMjiiXsJiBPkWruRM2JVjH6OfuHaJvzZHq7vo5UnSUdN-zI5iR/pub
64. https://docs.google.com/document/d/e/2PACX-1vQo2AQeCB2a9hjDFxdhtpKF60NybVjxD5MQit0y5uiyQ975GoB1oNVAhly4fO2-QPC-bHpiH-AB38_l/pub
65. https://docs.google.com/document/d/e/2PACX-1vQO6kczpZKQlvDX34Q6i28dVT6m5O4abKnueFPUkyXJH0-DYSl_9fn0ENl-X_Ln2f40E0J0q%0D%0Ar7AO0Lf/pub
66. https://docs.google.com/document/d/e/2PACX-1vQO6kczpZKQlvDX34Q6i28dVT6m5O4abKnueFPUkyXJH0-DYSl_9fn0ENl-X_Ln2f40E0J0qr7AO0Lf/pub
67. https://docs.google.com/document/d/e/2PACX-1vQPGnoS9sdusc9f6pJ92xarOR5zHKU43uyALyYSxx3bccMnqIukPDhJYZCtEEt9Gk7n_eEojIE-E2ID/pub
68. https://docs.google.com/document/d/e/2PACX-1vQw_fXxK1YprhQUbfli7XsIueQ-dt7zUFA_09N9mKFACKIMrjo2qRv0atw9E84NdBG2vHHRX7s-jK-F/pub
69. https://docs.google.com/document/d/e/2PACX-1vQYrbq2YvGgXOw9mmDNrHQtTGNOaQvnMw_i0KW92JOUQKqMm0LC-T_NHyayaPFdo0N9A3EZqRgoVXhF/pub
70. https://docs.google.com/document/d/e/2PACX-1vQzgCfHvLHR3MFowBMd0gzYKdinrK49qzYuu7hQGpA_-3tLGzZ-7YQCgwv1JLTj09K4m7r21%0D%0A5EwhMkk/pub
71. https://docs.google.com/document/d/e/2PACX-1vQzgCfHvLHR3MFowBMd0gzYKdinrK49qzYuu7hQGpA_-3tLGzZ-7YQCgwv1JLTj09K4m7r215EwhMkk/pub
72. https://docs.google.com/document/d/e/2PACX-1vReql3LgZo22AjZWzuZlY1x5M4FD2PJU2BiqvQYhtyswbMdCoo0eld1EOpSbitkGGH-hx5qdpDk_7-R/pub
73. https://docs.google.com/document/d/e/2PACX-1vRHtAkIul64aftt7JQUKkSO7lUHaixqcds6K7CDLx5H_aYWr6HUO1656STQ4vxVI0juLLqPfZBtQDmQ/pub
74. https://docs.google.com/document/d/e/2PACX-1vRJHn57p6sYuxq2-1SZHVDudhYR6FhGOOoiciq-QsnthxaL4uRHr9VrZlEbJyBo6ZOcdTwWP1Ed_xeC/pub
75. https://docs.google.com/document/d/e/2PACX-1vRJrh5C_FYRSxW7_AyPfMZ4pPNXWg7IfC6DIyu55wy2cn3fUEVCE7jL-P78o1p3Z6aCHbs0tOso1cyx/pub
76. https://docs.google.com/document/d/e/2PACX-1vRkeMym6iOZ4WV5ntlGyTbtqrt1Qkco-U3jnDWNh6gbhu4G3iLdLFrcMqWZCrc203cJhztxPKIw150S/pub
77. https://docs.google.com/document/d/e/2PACX-1vRNTDt6fGFsVbhy7xr67buNeTlRoA2RPdJ5V-mb-DNjqXXV0oIv0hokeXpexQ7pZnthAbKRHSRCi6ws/pub
78. https://docs.google.com/document/d/e/2PACX-1vRP90HyOapfMcl10IVu-04t0N2Mh0oIv9sGjbELL1vuD4034-t9hKqB_kIMfiG_YyBHOK0uJcQtmj3r/pub
79. https://docs.google.com/document/d/e/2PACX-1vRPaNWKVrRPKU-4FHFVuis1E1pfDWZmbc5uGgGNZ2WZoGvyQ-vQd2w26qIpzPRF7xI85nqoNHTAst-5/pub
80. https://docs.google.com/document/d/e/2PACX-1vRt6E4OKVxiGfHQtdTez8_iHGzXk19-8BdMc0OXv8_UH44M6Sp-GEQ6EsyLFy8xaCT8EyGtWfsfi7OP/pub
81. https://docs.google.com/document/d/e/2PACX-1vRv8QLL31CgrZiZAMtknywRsTA3y1VT6JxyjODN53AvI_fMwcuchYLJiEnbIsVZLGMyX0R1zTozQm9Y/pub
82. https://docs.google.com/document/d/e/2PACX-1vRwoWLmvRsgZWBqX_ybQtdPb8AebDD9C69qNRd40-FW3x4Vv21zopMC3JR8Lbeu_2jwe51iR%0D%0AytGw4ol/pub
83. https://docs.google.com/document/d/e/2PACX-1vRwoWLmvRsgZWBqX_ybQtdPb8AebDD9C69qNRd40-FW3x4Vv21zopMC3JR8Lbeu_2jwe51iRytGw4ol/pub
84. https://docs.google.com/document/d/e/2PACX-1vRWrUwcCz7wOfiZ_TvQcz9Lu3SuY-o2xzmTaPXCE8PZXmXJcnQAEple5ZR1S8pC2TU02WPSwPWScUWw/pub
85. https://docs.google.com/document/d/e/2PACX-1vRxk6Ik6RMlR3LiCKyVt7XWaxyEBST-VVIn75cUndu13kQSaCVdIwE3FJZJclhTB-xRjALTW5-zIHMM/pub
86. https://docs.google.com/document/d/e/2PACX-1vRzQxOdRSDtSiLBa-WRfCd_VVI4u_aKUQTu2N2poeDAWaZ2HUgZwUOmaKTXyBzim1hERz6paxeGUkhG/pub
87. https://docs.google.com/document/d/e/2PACX-1vRZzLUH-deBYmhsn7pxz-DSLavVmFFvRNkj3EeC6IK0H1X9ySCpuoFs4gt2dWA27yUJantIl2JC0ui-/pub
88. https://docs.google.com/document/d/e/2PACX-1vS4uA3kEN3V498yzAX9__80gLIxmbQ5Qwa5jhJHWDDS8kwBAbsB97KxWG_uniqCmXEX-NjlnwVqYuqu/pub
89. https://docs.google.com/document/d/e/2PACX-1vSavApbfZn2kXVtdrZ1qizqbj4ss3HbEti48w1YaiDNrNHBJWfDfzF1HXrqAAc79mD5HlDLZiB_SW-Y/pub
90. https://docs.google.com/document/d/e/2PACX-1vSiXWGl4k3SKXWQBK7WF7coo_SSICJmaFa9LneYtnuSR-XJ8Ju3PP6AM7jXL1CXymaOpzy2VlHV7ElB/pub
91. https://docs.google.com/document/d/e/2PACX-1vSPF9RFFVduT-e-50aBLu1YYC9FDM4lHXEgTX-AFLeMxnbjO-yoUh5bfu9ZQ8Q3JkADlR2Y5%0D%0AHL2oNNA/pub
92. https://docs.google.com/document/d/e/2PACX-1vSPF9RFFVduT-e-50aBLu1YYC9FDM4lHXEgTX-AFLeMxnbjO-yoUh5bfu9ZQ8Q3JkADlR2Y5HL2oNNA/pub
93. https://docs.google.com/document/d/e/2PACX-1vSv6YHyh27I1rv3ZhXtmED5UMBOlpbOtqVl0dDyW3DDckNeEwepr9ct-VQKtUvV1OG3DXgtZpC8SFjY/pub
94. https://docs.google.com/document/d/e/2PACX-1vT7I7AgtHLmparcxKWWUj6UQ89fQwcvWnrGKrvCElkhJwBwQmyANlpz4Qet5ku3dv0hC-SdCx17Mp2G/pub
95. https://docs.google.com/document/d/e/2PACX-1vTeYpISYhaKAhUNyN44VZbS8gbfR97C4_fXkrkctW2vQOPh1Z-bEHlrDIzlZiqYhflc_7cys5KgvSC4/pub
96. https://docs.google.com/document/d/e/2PACX-1vTQD98SAMWxrpQukvQU6rnoA0TShM_X3cNlos1hOQ0YM8kPalzuHgHFlrbLG73YCkwAkMQll5StgvOq/pub
97. https://docs.google.com/document/d/e/2PACX-1vTU4fSvHAIYBfY_6WCshXXqtqV98uYiDb7MtnNUODRatY8yadwbHzRUG5iHMXiGrDcYdwSyBGGxVd3D/pub
98.  
99. MALDOC DISTRIBUTION URLS
100. http://actorwebsitereview.com/gun.php
101. http://agroturismemallorca.com/ride.php
102. http://allinclusivemajorca.com/domestic.php
103. http://demo2.brand-chemist.com/stealthily.php
104. http://mallorca.buzz/adolescent.php
105. http://mallorcamedical.com/monochroic.php
106. https://airborne.pro/soph.php
107. https://crazydeal101.com/alacrity.php
108. https://edukare.info/matriculate.php
109. https://hidrautest.com.br/bacteriology.php
110. https://hidrautest.com.br/correctness.php
111. https://imugan.com/starfish.php
112. https://rumahsyariahmks.com/yahweh.php
113. https://sedgefuneralplan.com/circulatory.php
114. https://spertoglass.com/memoranda.php
115. https://spertoglass.com/stapedes.php
116. https://spertoglass.com/therms.php
117. https://wordpress.manpow.co/starves.php
118.  
119. MALDOC FILE HASHES
120. 1110_74634.doc
121. 2e09612f1a523f862ba91e4260dc4a9c
122.  
123. HANCITOR DOWNLOAD URLS
124. Embedded in the Word document
125.  
126. HANCITOR PAYLOAD FILE HASHES
127. 22.mp4
128. 15e3a3bba36953e8492a64b55be03bb7
129.  
130. HANCITOR C2
131. http://codathegorthe.ru/8/forum.php
132. http://julthatpallike.ru/8/forum.php
133. http://trideprere.com/8/forum.php
134.  
135. FICKER STEALER DOWNLOAD URLS
136. http://tennysondonehue.com/f44.exe
137.  
138. FICKER STEALER FILE HASHES
139. f44.exe
140. 1db6bd4d13cb9966e8875b3812aef71d
141.  
142. I also saw DNS queries to:
143. taftahrice.com: type A, class IN
144. cussoricti.com: type A, class IN
145.