2021-07-21 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=1907_hjfsd
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You got notification from DocuSign Service
14. You got notification from DocuSign Signature Service
15. You received invoice from DocuSign Electronic Service
16. You received invoice from DocuSign Electronic Signature Service
17. You received invoice from DocuSign Service
18. You received invoice from DocuSign Signature Service
19. You received notification from DocuSign Electronic Service
20. You received notification from DocuSign Electronic Signature Service
21. You received notification from DocuSign Service
22. You received notification from DocuSign Signature Service
23.  
24. SENDERS OBSERVED
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63. [email protected]
64. [email protected]
65. [email protected]
66. [email protected]
67. [email protected]
68. [email protected]
69. [email protected]
70. [email protected]
71. [email protected]
72. [email protected]
73. [email protected]
74. [email protected]
75. [email protected]
76. [email protected]
77. [email protected]
78. [email protected]
79. [email protected]
80. [email protected]
81. [email protected]
82. [email protected]
83. [email protected]
84. [email protected]
85. [email protected]
86. [email protected]
87. [email protected]
88. [email protected]
89. [email protected]
90. [email protected]
91. [email protected]
92. [email protected]
93. [email protected]
94. [email protected]
95. [email protected]
96. [email protected]
97. [email protected]
98. [email protected]
99. [email protected]
100. [email protected]
101. [email protected]
102. [email protected]
103. [email protected]
104. [email protected]
105. [email protected]
106. [email protected]
107. [email protected]
108. [email protected]
109. [email protected]
110. [email protected]
111. [email protected]
112. [email protected]
113. [email protected]
114. [email protected]
115. [email protected]
116. [email protected]
117. [email protected]
118. [email protected]
119. [email protected]
120. [email protected]
121. [email protected]
122. [email protected]
123. [email protected]
124. [email protected]
125. [email protected]
126. [email protected]
127. [email protected]
128. [email protected]
129. [email protected]
130. [email protected]
131. [email protected]
132. [email protected]
133. [email protected]
134. [email protected]
135. [email protected]
136. [email protected]
137. [email protected]
138. [email protected]
139. [email protected]
140. [email protected]
141. [email protected]
142. [email protected]
143. [email protected]
144. [email protected]
145. [email protected]
146. [email protected]
147. [email protected]
148. [email protected]
149. [email protected]
150. [email protected]
151. [email protected]
152. [email protected]
153. [email protected]
154. [email protected]
155. [email protected]
156. [email protected]
157. [email protected]
158. [email protected]
159. [email protected]
160. [email protected]
161. [email protected]
162. [email protected]
163. [email protected]
164. [email protected]
165. [email protected]
166. [email protected]
167. [email protected]
168. [email protected]
169. [email protected]
170. [email protected]
171. [email protected]
172. [email protected]
173. [email protected]
174. [email protected]
175. [email protected]
176. [email protected]
177. [email protected]
178. [email protected]
179. [email protected]
180. [email protected]
181. [email protected]
182. [email protected]
183. [email protected]
184. [email protected]
185. [email protected]
186. [email protected]
187. [email protected]
188. [email protected]
189. [email protected]
190. [email protected]
191. [email protected]
192. [email protected]
193. [email protected]
194. [email protected]
195. [email protected]
196. [email protected]
197. [email protected]
198. [email protected]
199. [email protected]
200. [email protected]
201. [email protected]
202. [email protected]
203. [email protected]
204. [email protected]
205. [email protected]
206. [email protected]
207. [email protected]
208. [email protected]
209. [email protected]
210. [email protected]
211. [email protected]
212. [email protected]
213. [email protected]
214. [email protected]
215. [email protected]
216. [email protected]
217. [email protected]
218. [email protected]
219. [email protected]
220. [email protected]
221. [email protected]
222. [email protected]
223. [email protected]
224. [email protected]
225. [email protected]
226. [email protected]
227. [email protected]
228. [email protected]
229. [email protected]
230. [email protected]
231. [email protected]
232. [email protected]
233. [email protected]
234. [email protected]
235. [email protected]
236. [email protected]
237.  
238. MALDOC PROXY DISTRIBUTION URLS
239. http://feedproxy.google.com/~r/ubrbdz/~3/bJamsKHFAfk/metallurgist.php
240. http://feedproxy.google.com/~r/udcbgnbhl/~3/p5FUZcPBCEU/breadbasket.php
241. http://feedproxy.google.com/~r/qergkluvhuv/~3/SUsTLKh812c/simpleminded.php
242. http://feedproxy.google.com/~r/npfjs/~3/sSx348jo1gk/steeplechase.php
243. http://feedproxy.google.com/~r/rpacrc/~3/zqtp-OUTWSw/unable.php
244.  
245. MALDOC REDIRECT DOWNLOAD URLS
246. Unavailable
247.  
248. MALDOC FILE HASHES
249. 0721_7525265361.xls
250. ddfe01c006b3cbf4a6929073e235a8b4
251.  
252. HANCITOR PAYLOAD FILE HASH
253. omsh.dll
254. 24190cd699631d16521dfb588b2571a3
255.  
256. HANCITOR C2
257. http://anithedtatione.ru/8/forum.php
258. http://thervidolown.com/8/forum.php
259. http://wiltuslads.ru/8/forum.php
260.  
261. FICKER STEALER DOWNLOAD URL
262. http://falan4zadron.ru/7hsjfd9w4refsd.exe
263.  
264. FICKER STEALER FILE HASH
265. 7hsjfd9w4refsd.exe
266. 270c3859591599642bd15167765246e3
267.  
268. FICKER STEALER C2
269. http://pospvisis.com
270.  
271. COBALT STRIKE STAGER DOWNLOAD URLS
272. http://falan4zadron.ru/1907.bin
273. http://falan4zadron.ru/1907S.bin
274.  
275. COBALT STRIKE STAGER FILE HASHES
276. 1907.bin
277. f11e2c4dded5a019edf7718af78e8731
278.  
279. 1907s.bin
280. 4cd7b8233b10bf0ffa75986b4479cd19
281.  
282. COBALT STRIKE BEACON DOWNLOAD URL
283. http://37.1.208.250/j7Pk
284.  
285. COBALT STRIKE BEACON FILE HASH
286. j7Pk
287. 122fef124babe98581e285e148d841d2
288.  
289. COBALT STRIKE C2
290. http://37.1.208.250/IE9CompatViewList.xml
291.  
292.  
293. COBALT STRIKE BEACON CONFIG (extracted using Didier Stevens 1768 Python script)
294. 0x0003 sleeptime 0x0002 0x0004 60000
295. 0x0004 maxgetsize 0x0002 0x0004 1048576
296. 0x0005 jitter 0x0001 0x0002 0
297. 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
298. 0x0008 server,get-uri 0x0003 0x0100 '37.1.208.250,/IE9CompatViewList.xml'
299. 0x0043 0x0001 0x0002 0
300. 0x0044 0x0002 0x0004 4294967295
301. 0x0045 0x0002 0x0004 4294967295
302. 0x0046 0x0002 0x0004 4294967295
303. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
304. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
305. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
306. 0x001f CryptoScheme 0x0001 0x0002 0
307. 0x001a get-verb 0x0003 0x0010 'GET'
308. 0x001b post-verb 0x0003 0x0010 'POST'
309. 0x001c HttpPostChunk 0x0002 0x0004 0
310. 0x0025 license-id 0x0002 0x0004 0
311. 0x0026 bStageCleanup 0x0001 0x0002 0
312. 0x0027 bCFGCaution 0x0001 0x0002 0
313. 0x0009 useragent 0x0003 0x0100 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)'
314. 0x000a post-uri 0x0003 0x0040 '/submit.php'
315. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
316. 0x000c http_get_header 0x0003 0x0200
317. b'Cookie'
318. 0x000d http_post_header 0x0003 0x0200
319. b'&Content-Type: application/octet-stream'
320. b'id'
321. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
322. 0x0032 UsesCookies 0x0001 0x0002 1
323. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
324. 0x003a 0x0003 0x0080 '\x00\x04'
325. 0x0039 0x0003 0x0080 '\x00\x04'
326. 0x0037 0x0001 0x0002 0
327. 0x0028 killdate 0x0002 0x0004 0
328. 0x0029 textSectionEnd 0x0002 0x0004 0
329. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
330. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
331. 0x002d process-inject-min_alloc 0x0002 0x0004 0
332. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
333. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
334. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
335. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
336. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
337. 0x0000
338.  
339.