Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
- HANCITOR BUILD NUMBER
- BUILD=1907_hjfsd
- SUBJECTS OBSERVED
- You got invoice from DocuSign Electronic Service
- You got invoice from DocuSign Electronic Signature Service
- You got invoice from DocuSign Service
- You got invoice from DocuSign Signature Service
- You got notification from DocuSign Electronic Service
- You got notification from DocuSign Electronic Signature Service
- You got notification from DocuSign Service
- You got notification from DocuSign Signature Service
- You received invoice from DocuSign Electronic Service
- You received invoice from DocuSign Electronic Signature Service
- You received invoice from DocuSign Service
- You received invoice from DocuSign Signature Service
- You received notification from DocuSign Electronic Service
- You received notification from DocuSign Electronic Signature Service
- You received notification from DocuSign Service
- You received notification from DocuSign Signature Service
- SENDERS OBSERVED
- a@divosad.com
- aedioyi@divosad.com
- afoy@divosad.com
- agigi@divosad.com
- ahauho@divosad.com
- ahioqe@divosad.com
- aienyl@divosad.com
- aja@divosad.com
- ajyutiw@divosad.com
- aneponi@divosad.com
- anueodg@divosad.com
- anymih@divosad.com
- arixidf@divosad.com
- awvrah@divosad.com
- azivu@divosad.com
- azovaix@divosad.com
- azpaa@divosad.com
- b@divosad.com
- bab@divosad.com
- baiyxm@divosad.com
- bepjut@divosad.com
- biurayv@divosad.com
- bo@divosad.com
- by@divosad.com
- cafm@divosad.com
- ceczmij@divosad.com
- ci@divosad.com
- cy@divosad.com
- das@divosad.com
- dofyury@divosad.com
- drjaaog@divosad.com
- duvwoel@divosad.com
- dyqi@divosad.com
- e@divosad.com
- eazo@divosad.com
- ebjued@divosad.com
- eeywtom@divosad.com
- ej@divosad.com
- emtir@divosad.com
- emuki@divosad.com
- epavuce@divosad.com
- eqqy@divosad.com
- eroxye@divosad.com
- esdyqov@divosad.com
- etit@divosad.com
- euitiyo@divosad.com
- ey@divosad.com
- ezzc@divosad.com
- f@divosad.com
- fesivke@divosad.com
- ffy@divosad.com
- fhfu@divosad.com
- fuvydoo@divosad.com
- fyeaiq@divosad.com
- g@divosad.com
- gahiogh@divosad.com
- gardyg@divosad.com
- gdegyic@divosad.com
- gecyumy@divosad.com
- gevobef@divosad.com
- gncekle@divosad.com
- gop@divosad.com
- gow@divosad.com
- gtwieyg@divosad.com
- guakyem@divosad.com
- gvuxuvu@divosad.com
- habbeoa@divosad.com
- hebxswh@divosad.com
- hfepr@divosad.com
- hgibbeo@divosad.com
- huuan@divosad.com
- hwyv@divosad.com
- i@divosad.com
- iaooppa@divosad.com
- ide@divosad.com
- ifo@divosad.com
- ikosiny@divosad.com
- ilru@divosad.com
- iugxjuw@divosad.com
- iuzmeew@divosad.com
- ivywazh@divosad.com
- iyq@divosad.com
- izci@divosad.com
- jieysek@divosad.com
- jiupeac@divosad.com
- jrpoto@divosad.com
- k@divosad.com
- ka@divosad.com
- kavhexa@divosad.com
- kdykhuf@divosad.com
- kiqjoli@divosad.com
- kiwakeq@divosad.com
- kogwixw@divosad.com
- koyae@divosad.com
- lendazy@divosad.com
- lhiiz@divosad.com
- lhnafah@divosad.com
- liadyt@divosad.com
- lmizoby@divosad.com
- lopur@divosad.com
- m@divosad.com
- maduui@divosad.com
- mearcis@divosad.com
- menemye@divosad.com
- mh@divosad.com
- n@divosad.com
- nanyapy@divosad.com
- nceoo@divosad.com
- noupn@divosad.com
- nuupfmy@divosad.com
- nuyt@divosad.com
- o@divosad.com
- ocuywed@divosad.com
- ofimin@divosad.com
- ojba@divosad.com
- olek@divosad.com
- oqvxin@divosad.com
- oviuvue@divosad.com
- ovzenlo@divosad.com
- oyrgyxu@divosad.com
- ozinkjo@divosad.com
- p@divosad.com
- papqa@divosad.com
- parowaz@divosad.com
- pcyi@divosad.com
- pe@divosad.com
- pjnhu@divosad.com
- pnrogby@divosad.com
- pz@divosad.com
- qi@divosad.com
- qiprhey@divosad.com
- qx@divosad.com
- r@divosad.com
- rayme@divosad.com
- rgsuy@divosad.com
- ron@divosad.com
- rvojy@divosad.com
- ryikas@divosad.com
- ryuwijd@divosad.com
- ryx@divosad.com
- sa@divosad.com
- sawmajt@divosad.com
- se@divosad.com
- su@divosad.com
- submnob@divosad.com
- svai@divosad.com
- syzulk@divosad.com
- t@divosad.com
- tmyxwef@divosad.com
- tofuauk@divosad.com
- toryvac@divosad.com
- tubemyz@divosad.com
- tulfoq@divosad.com
- tyvipyl@divosad.com
- tyyumvo@divosad.com
- tzorexa@divosad.com
- ua@divosad.com
- uao@divosad.com
- ubavfgl@divosad.com
- ucafem@divosad.com
- ueixe@divosad.com
- uelaony@divosad.com
- uk@divosad.com
- ukup@divosad.com
- upo@divosad.com
- uropa@divosad.com
- uusty@divosad.com
- uux@divosad.com
- uyymavf@divosad.com
- vetfebe@divosad.com
- vewieuz@divosad.com
- vjeui@divosad.com
- voprpip@divosad.com
- vug@divosad.com
- vxaaloe@divosad.com
- wapenyq@divosad.com
- whkoovn@divosad.com
- wl@divosad.com
- woqiuvd@divosad.com
- wqicivy@divosad.com
- wyqiu@divosad.com
- x@divosad.com
- xapkafi@divosad.com
- xuuqam@divosad.com
- xy@divosad.com
- xydduyf@divosad.com
- xyguc@divosad.com
- xyt@divosad.com
- yd@divosad.com
- yikqzyq@divosad.com
- yjdyzu@divosad.com
- yji@divosad.com
- ykia@divosad.com
- yohax@divosad.com
- yuhcfko@divosad.com
- yuugym@divosad.com
- yvoyd@divosad.com
- ywmy@divosad.com
- yyeodef@divosad.com
- z@divosad.com
- za@divosad.com
- zaaoaox@divosad.com
- zeiqayu@divosad.com
- zeomado@divosad.com
- zipajzc@divosad.com
- ziqycay@divosad.com
- zlubhel@divosad.com
- zobekg@divosad.com
- zvtwieh@divosad.com
- zycudyl@divosad.com
- zyuovey@divosad.com
- zzb@divosad.com
- MALDOC PROXY DISTRIBUTION URLS
- http://feedproxy.google.com/~r/ubrbdz/~3/bJamsKHFAfk/metallurgist.php
- http://feedproxy.google.com/~r/udcbgnbhl/~3/p5FUZcPBCEU/breadbasket.php
- http://feedproxy.google.com/~r/qergkluvhuv/~3/SUsTLKh812c/simpleminded.php
- http://feedproxy.google.com/~r/npfjs/~3/sSx348jo1gk/steeplechase.php
- http://feedproxy.google.com/~r/rpacrc/~3/zqtp-OUTWSw/unable.php
- MALDOC REDIRECT DOWNLOAD URLS
- Unavailable
- MALDOC FILE HASHES
- 0721_7525265361.xls
- ddfe01c006b3cbf4a6929073e235a8b4
- HANCITOR PAYLOAD FILE HASH
- omsh.dll
- 24190cd699631d16521dfb588b2571a3
- HANCITOR C2
- http://anithedtatione.ru/8/forum.php
- http://thervidolown.com/8/forum.php
- http://wiltuslads.ru/8/forum.php
- FICKER STEALER DOWNLOAD URL
- http://falan4zadron.ru/7hsjfd9w4refsd.exe
- FICKER STEALER FILE HASH
- 7hsjfd9w4refsd.exe
- 270c3859591599642bd15167765246e3
- FICKER STEALER C2
- http://pospvisis.com
- COBALT STRIKE STAGER DOWNLOAD URLS
- http://falan4zadron.ru/1907.bin
- http://falan4zadron.ru/1907S.bin
- COBALT STRIKE STAGER FILE HASHES
- 1907.bin
- f11e2c4dded5a019edf7718af78e8731
- 1907s.bin
- 4cd7b8233b10bf0ffa75986b4479cd19
- COBALT STRIKE BEACON DOWNLOAD URL
- http://37.1.208.250/j7Pk
- COBALT STRIKE BEACON FILE HASH
- j7Pk
- 122fef124babe98581e285e148d841d2
- COBALT STRIKE C2
- http://37.1.208.250/IE9CompatViewList.xml
- COBALT STRIKE BEACON CONFIG (extracted using Didier Stevens 1768 Python script)
- 0x0003 sleeptime 0x0002 0x0004 60000
- 0x0004 maxgetsize 0x0002 0x0004 1048576
- 0x0005 jitter 0x0001 0x0002 0
- 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- 0x0008 server,get-uri 0x0003 0x0100 '37.1.208.250,/IE9CompatViewList.xml'
- 0x0043 0x0001 0x0002 0
- 0x0044 0x0002 0x0004 4294967295
- 0x0045 0x0002 0x0004 4294967295
- 0x0046 0x0002 0x0004 4294967295
- 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
- 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
- 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
- 0x001f CryptoScheme 0x0001 0x0002 0
- 0x001a get-verb 0x0003 0x0010 'GET'
- 0x001b post-verb 0x0003 0x0010 'POST'
- 0x001c HttpPostChunk 0x0002 0x0004 0
- 0x0025 license-id 0x0002 0x0004 0
- 0x0026 bStageCleanup 0x0001 0x0002 0
- 0x0027 bCFGCaution 0x0001 0x0002 0
- 0x0009 useragent 0x0003 0x0100 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)'
- 0x000a post-uri 0x0003 0x0040 '/submit.php'
- 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
- 0x000c http_get_header 0x0003 0x0200
- b'Cookie'
- 0x000d http_post_header 0x0003 0x0200
- b'&Content-Type: application/octet-stream'
- b'id'
- 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
- 0x0032 UsesCookies 0x0001 0x0002 1
- 0x0023 proxy_type 0x0001 0x0002 2 IE settings
- 0x003a 0x0003 0x0080 '\x00\x04'
- 0x0039 0x0003 0x0080 '\x00\x04'
- 0x0037 0x0001 0x0002 0
- 0x0028 killdate 0x0002 0x0004 0
- 0x0029 textSectionEnd 0x0002 0x0004 0
- 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
- 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
- 0x002d process-inject-min_alloc 0x0002 0x0004 0
- 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
- 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
- 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
- 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
- 0x0034 process-inject-allocation-method 0x0001 0x0002 0
- 0x0000
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement