2020-11-10 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. SUBJECTS OBSERVED
4. You got invoice from DocuSign Electronic Service
5. You got invoice from DocuSign Electronic Signature Service
6. You got invoice from DocuSign Service
7. You got invoice from DocuSign Signature Service
8. You got notification from DocuSign Electronic Service
9. You got notification from DocuSign Electronic Signature Service
10. You got notification from DocuSign Service
11. You got notification from DocuSign Signature Service
12. You received invoice from DocuSign Electronic Service
13. You received invoice from DocuSign Service
14. You received invoice from DocuSign Signature Service
15. You received notification from DocuSign Electronic Service
16. You received notification from DocuSign Electronic Signature Service
17. You received notification from DocuSign Service
18. You received notification from DocuSign Signature Service
19.  
20. SENDERS OBSERVED
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61.  
62. MALDOC PROXY URLS
63. https://docs.google.com/document/d/e/2PACX-1vQnoRr4CxkhGNNtYmXL47etHQ8s5SWMjiiXsJiBPkWruRM2JVjH6OfuHaJvzZHq7vo5UnSUdN-zI5iR/pub
64. https://docs.google.com/document/d/e/2PACX-1vQo2AQeCB2a9hjDFxdhtpKF60NybVjxD5MQit0y5uiyQ975GoB1oNVAhly4fO2-QPC-bHpiH-AB38_l/pub
65. https://docs.google.com/document/d/e/2PACX-1vQO6kczpZKQlvDX34Q6i28dVT6m5O4abKnueFPUkyXJH0-DYSl_9fn0ENl-X_Ln2f40E0J0q%0D%0Ar7AO0Lf/pub
66. https://docs.google.com/document/d/e/2PACX-1vQO6kczpZKQlvDX34Q6i28dVT6m5O4abKnueFPUkyXJH0-DYSl_9fn0ENl-X_Ln2f40E0J0qr7AO0Lf/pub
67. https://docs.google.com/document/d/e/2PACX-1vQPGnoS9sdusc9f6pJ92xarOR5zHKU43uyALyYSxx3bccMnqIukPDhJYZCtEEt9Gk7n_eEojIE-E2ID/pub
68. https://docs.google.com/document/d/e/2PACX-1vQw_fXxK1YprhQUbfli7XsIueQ-dt7zUFA_09N9mKFACKIMrjo2qRv0atw9E84NdBG2vHHRX7s-jK-F/pub
69. https://docs.google.com/document/d/e/2PACX-1vQYrbq2YvGgXOw9mmDNrHQtTGNOaQvnMw_i0KW92JOUQKqMm0LC-T_NHyayaPFdo0N9A3EZqRgoVXhF/pub
70. https://docs.google.com/document/d/e/2PACX-1vQzgCfHvLHR3MFowBMd0gzYKdinrK49qzYuu7hQGpA_-3tLGzZ-7YQCgwv1JLTj09K4m7r21%0D%0A5EwhMkk/pub
71. https://docs.google.com/document/d/e/2PACX-1vQzgCfHvLHR3MFowBMd0gzYKdinrK49qzYuu7hQGpA_-3tLGzZ-7YQCgwv1JLTj09K4m7r215EwhMkk/pub
72. https://docs.google.com/document/d/e/2PACX-1vReql3LgZo22AjZWzuZlY1x5M4FD2PJU2BiqvQYhtyswbMdCoo0eld1EOpSbitkGGH-hx5qdpDk_7-R/pub
73. https://docs.google.com/document/d/e/2PACX-1vRHtAkIul64aftt7JQUKkSO7lUHaixqcds6K7CDLx5H_aYWr6HUO1656STQ4vxVI0juLLqPfZBtQDmQ/pub
74. https://docs.google.com/document/d/e/2PACX-1vRJHn57p6sYuxq2-1SZHVDudhYR6FhGOOoiciq-QsnthxaL4uRHr9VrZlEbJyBo6ZOcdTwWP1Ed_xeC/pub
75. https://docs.google.com/document/d/e/2PACX-1vRJrh5C_FYRSxW7_AyPfMZ4pPNXWg7IfC6DIyu55wy2cn3fUEVCE7jL-P78o1p3Z6aCHbs0tOso1cyx/pub
76. https://docs.google.com/document/d/e/2PACX-1vRkeMym6iOZ4WV5ntlGyTbtqrt1Qkco-U3jnDWNh6gbhu4G3iLdLFrcMqWZCrc203cJhztxPKIw150S/pub
77. https://docs.google.com/document/d/e/2PACX-1vRNTDt6fGFsVbhy7xr67buNeTlRoA2RPdJ5V-mb-DNjqXXV0oIv0hokeXpexQ7pZnthAbKRHSRCi6ws/pub
78. https://docs.google.com/document/d/e/2PACX-1vRP90HyOapfMcl10IVu-04t0N2Mh0oIv9sGjbELL1vuD4034-t9hKqB_kIMfiG_YyBHOK0uJcQtmj3r/pub
79. https://docs.google.com/document/d/e/2PACX-1vRPaNWKVrRPKU-4FHFVuis1E1pfDWZmbc5uGgGNZ2WZoGvyQ-vQd2w26qIpzPRF7xI85nqoNHTAst-5/pub
80. https://docs.google.com/document/d/e/2PACX-1vRt6E4OKVxiGfHQtdTez8_iHGzXk19-8BdMc0OXv8_UH44M6Sp-GEQ6EsyLFy8xaCT8EyGtWfsfi7OP/pub
81. https://docs.google.com/document/d/e/2PACX-1vRv8QLL31CgrZiZAMtknywRsTA3y1VT6JxyjODN53AvI_fMwcuchYLJiEnbIsVZLGMyX0R1zTozQm9Y/pub
82. https://docs.google.com/document/d/e/2PACX-1vRwoWLmvRsgZWBqX_ybQtdPb8AebDD9C69qNRd40-FW3x4Vv21zopMC3JR8Lbeu_2jwe51iR%0D%0AytGw4ol/pub
83. https://docs.google.com/document/d/e/2PACX-1vRwoWLmvRsgZWBqX_ybQtdPb8AebDD9C69qNRd40-FW3x4Vv21zopMC3JR8Lbeu_2jwe51iRytGw4ol/pub
84. https://docs.google.com/document/d/e/2PACX-1vRWrUwcCz7wOfiZ_TvQcz9Lu3SuY-o2xzmTaPXCE8PZXmXJcnQAEple5ZR1S8pC2TU02WPSwPWScUWw/pub
85. https://docs.google.com/document/d/e/2PACX-1vRxk6Ik6RMlR3LiCKyVt7XWaxyEBST-VVIn75cUndu13kQSaCVdIwE3FJZJclhTB-xRjALTW5-zIHMM/pub
86. https://docs.google.com/document/d/e/2PACX-1vRzQxOdRSDtSiLBa-WRfCd_VVI4u_aKUQTu2N2poeDAWaZ2HUgZwUOmaKTXyBzim1hERz6paxeGUkhG/pub
87. https://docs.google.com/document/d/e/2PACX-1vRZzLUH-deBYmhsn7pxz-DSLavVmFFvRNkj3EeC6IK0H1X9ySCpuoFs4gt2dWA27yUJantIl2JC0ui-/pub
88. https://docs.google.com/document/d/e/2PACX-1vS4uA3kEN3V498yzAX9__80gLIxmbQ5Qwa5jhJHWDDS8kwBAbsB97KxWG_uniqCmXEX-NjlnwVqYuqu/pub
89. https://docs.google.com/document/d/e/2PACX-1vSavApbfZn2kXVtdrZ1qizqbj4ss3HbEti48w1YaiDNrNHBJWfDfzF1HXrqAAc79mD5HlDLZiB_SW-Y/pub
90. https://docs.google.com/document/d/e/2PACX-1vSiXWGl4k3SKXWQBK7WF7coo_SSICJmaFa9LneYtnuSR-XJ8Ju3PP6AM7jXL1CXymaOpzy2VlHV7ElB/pub
91. https://docs.google.com/document/d/e/2PACX-1vSPF9RFFVduT-e-50aBLu1YYC9FDM4lHXEgTX-AFLeMxnbjO-yoUh5bfu9ZQ8Q3JkADlR2Y5%0D%0AHL2oNNA/pub
92. https://docs.google.com/document/d/e/2PACX-1vSPF9RFFVduT-e-50aBLu1YYC9FDM4lHXEgTX-AFLeMxnbjO-yoUh5bfu9ZQ8Q3JkADlR2Y5HL2oNNA/pub
93. https://docs.google.com/document/d/e/2PACX-1vSv6YHyh27I1rv3ZhXtmED5UMBOlpbOtqVl0dDyW3DDckNeEwepr9ct-VQKtUvV1OG3DXgtZpC8SFjY/pub
94. https://docs.google.com/document/d/e/2PACX-1vT7I7AgtHLmparcxKWWUj6UQ89fQwcvWnrGKrvCElkhJwBwQmyANlpz4Qet5ku3dv0hC-SdCx17Mp2G/pub
95. https://docs.google.com/document/d/e/2PACX-1vTeYpISYhaKAhUNyN44VZbS8gbfR97C4_fXkrkctW2vQOPh1Z-bEHlrDIzlZiqYhflc_7cys5KgvSC4/pub
96. https://docs.google.com/document/d/e/2PACX-1vTQD98SAMWxrpQukvQU6rnoA0TShM_X3cNlos1hOQ0YM8kPalzuHgHFlrbLG73YCkwAkMQll5StgvOq/pub
97. https://docs.google.com/document/d/e/2PACX-1vTU4fSvHAIYBfY_6WCshXXqtqV98uYiDb7MtnNUODRatY8yadwbHzRUG5iHMXiGrDcYdwSyBGGxVd3D/pub
98.  
99. MALDOC DISTRIBUTION URLS
100. http://actorwebsitereview.com/gun.php
101. http://agroturismemallorca.com/ride.php
102. http://allinclusivemajorca.com/domestic.php
103. http://demo2.brand-chemist.com/stealthily.php
104. http://mallorca.buzz/adolescent.php
105. http://mallorcamedical.com/monochroic.php
106. https://airborne.pro/soph.php
107. https://crazydeal101.com/alacrity.php
108. https://edukare.info/matriculate.php
109. https://hidrautest.com.br/bacteriology.php
110. https://hidrautest.com.br/correctness.php
111. https://imugan.com/starfish.php
112. https://rumahsyariahmks.com/yahweh.php
113. https://sedgefuneralplan.com/circulatory.php
114. https://spertoglass.com/memoranda.php
115. https://spertoglass.com/stapedes.php
116. https://spertoglass.com/therms.php
117. https://wordpress.manpow.co/starves.php
118.  
119. MALDOC FILE HASHES
120. 1110_74634.doc
121. 2e09612f1a523f862ba91e4260dc4a9c
122.  
123. HANCITOR DOWNLOAD URLS
124. Embedded in the Word document
125.  
126. HANCITOR PAYLOAD FILE HASHES
127. 22.mp4
128. 15e3a3bba36953e8492a64b55be03bb7
129.  
130. HANCITOR C2
131. http://codathegorthe.ru/8/forum.php
132. http://julthatpallike.ru/8/forum.php
133. http://trideprere.com/8/forum.php
134.  
135. FICKER STEALER DOWNLOAD URLS
136. http://tennysondonehue.com/f44.exe
137.  
138. FICKER STEALER FILE HASHES
139. f44.exe
140. 1db6bd4d13cb9966e8875b3812aef71d
141.  
142. I also saw DNS queries to:
143. taftahrice.com: type A, class IN
144. cussoricti.com: type A, class IN
145.