2021-04-20 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. SUBJECTS OBSERVED
4. You got invoice from DocuSign Electronic Service
5. You got invoice from DocuSign Electronic Signature Service
6. You got invoice from DocuSign Service
7. You got invoice from DocuSign Signature Service
8. You got notification from DocuSign Electronic Service
9. You got notification from DocuSign Electronic Signature Service
10. You got notification from DocuSign Service
11. You received invoice from DocuSign Electronic Service
12. You received invoice from DocuSign Electronic Signature Service
13. You received invoice from DocuSign Service
14. You received invoice from DocuSign Signature Service
15. You received notification from DocuSign Electronic Service
16. You received notification from DocuSign Electronic Signature Service
17. You received notification from DocuSign Service
18. You received notification from DocuSign Signature Service
19.  
20. SENDERS OBSERVED
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63.  
64. MALDOC LANDING PAGE URLS
65. https://docs.google.com/document/d/e/2PACX-1vQa9QzPy4bCm8pHm8CwjiPeJBi7XmIxzf2IALrGkIruHTwb72pGSmP6SFUeXaNcdOjVhw0BQQhAydeV/pub
66. https://docs.google.com/document/d/e/2PACX-1vQC1GfeIv0DdXEXmLoHcvcbMmGaFFcx1_6E0xDAALcH3efDm_wg9uHVNR1NXXYHCD4wkJngybQ2gpwT/pub
67. https://docs.google.com/document/d/e/2PACX-1vQeiaRGvogu_Re2hI2I2P5RQYDjVLv2mXdi1N5Jo_B55wmDHYLlZbwPWZG7AVrIWaAcYVwMFyHJ_hQQ/pub
68. https://docs.google.com/document/d/e/2PACX-1vQiuLBW05nC2m4TN70wdjSTUA75wpWmUM9zr1vTGknukogti-4jBtIYFzSRqvbVzfiQlkbw3y6Bd0hK/pub
69. https://docs.google.com/document/d/e/2PACX-1vQLbrvHZ5NxnUypXEuZ91w0u9RY10aOMX_NVqxUnA20ySwk2TLGQEqxRbAV8muK3q5zmvvJDRYgIIer/pub
70. https://docs.google.com/document/d/e/2PACX-1vQNRpU8WX9jXk2CDGqHhi_k-Oi7W2wWg8wZrDDGAJXnsTd3ulg-y-mzJMKUVb4AHr-LW4d6Xs6UJ-qN/pub
71. https://docs.google.com/document/d/e/2PACX-1vQnW7YVj17nVq2RKMNdYOtVNsBQ3P7Ngr4BXaOtjRmQrGmdBQkFcCd4leiF3dRn-Vw3C2FmerAzBm-9/pub
72. https://docs.google.com/document/d/e/2PACX-1vQpEdoKoYo6uePO_ghrrpVyaaaYuhWML_2XxFj4CdzK6fJ56bvmR7o6T6Vr9ScQMoXwTv0WA_MqZEwl/pub
73. https://docs.google.com/document/d/e/2PACX-1vQSkAsAPrlsVkn0a6-sowf5IL-SSKkq_L6GRd35Z-faYqZXRYUA3h5C8RuiWCWZkHKb2JotAVEJd6e4/pub
74. https://docs.google.com/document/d/e/2PACX-1vQvG_ZgGQrA7FYDSO7KpjMrGPv-KUn42P3c8eD1oaBDoG4DOEG_lK9Z50CFQYQ95hyGfJ2sUJIHBOq1/pub
75. https://docs.google.com/document/d/e/2PACX-1vQvzNo8PaS3S5iz0gb59uGXEYdraQC6UQNt5DTLn3vBWzkSzAFptYSFHT6Wsdw2OQVzw7OAtWOCAyig/pub
76. https://docs.google.com/document/d/e/2PACX-1vQwin7bXd-T9M5lAI8W79raYyAZjCO2WCYfGFL9_jOKCkCg59UJhhdv4KRoUHf4lcovj7irPhmm-U13/pub
77. https://docs.google.com/document/d/e/2PACX-1vR0qneVq4j4DBfusinlSdIctp0xffFoYgjEDZYnuQlAeCWhyipbxSVduNv19oO5MeEddfeSw8P7A9U_/pub
78. https://docs.google.com/document/d/e/2PACX-1vR0XEKKL_pjbxPrWFnXSBa_5SrzaSsuz0rA-HhTNjU9mjrqbSpe0Xpdj2edlSrpJFCD30btPCtrHRRI/pub
79. https://docs.google.com/document/d/e/2PACX-1vRBF2UhXfk0KRbrjbaUkUM8rhxGocLvAB-yfpABPv3i7iTWhT6M3JMN38xd5TaSIbSfpBmCWYoMirW2/pub
80. https://docs.google.com/document/d/e/2PACX-1vRC6zp14NrlpHYpyK-WBqx9hQB4QoTx700UJ_s-pTM7HO1hvqg1zlRHapQWeJI5A4AqPTVq4DB-vZ8A/pub
81. https://docs.google.com/document/d/e/2PACX-1vREQkXKLr8hHpYeBkI82yDabP4aAG8GYHOOZFgCPbSpwFrxNt2kPxMfIh7GB4IfXBnHEj2fb--kcQHr/pub
82. https://docs.google.com/document/d/e/2PACX-1vRGE-pPksO5Qh5SYUDkY9CHVVJtZgBgJ_ke4Kv9Yx8dvSlvV2-19v13wtiBebjuCUqKE_rbUQvOhbT5/pub
83. https://docs.google.com/document/d/e/2PACX-1vRQZzTokYhrZ0atAvTkvMjBKRKUDfUs2xbwiAg01ruvH4J4NBJyYodABUnJMCqwQb4kHbyIF0M0NP3u/pub
84. https://docs.google.com/document/d/e/2PACX-1vRRMYPEqyuCVmywf9WXMeEOQ_Hd1EGgjq3SchZPKzHVCO1FCHQmbGSnLtUvs1Oz6ZB63jK6BI861v2b/pub
85. https://docs.google.com/document/d/e/2PACX-1vRup-LNzkvsRye4fFrbTrCfeHazFDpfdIUA24xjMkWrd2rJ21DyUMiiS0uLCxKD7K4ULNtd6gm5A8fx/pub
86. https://docs.google.com/document/d/e/2PACX-1vSbBjKuKT0PYCJyg802qnUbu-YMRU-DICPp9jrYrzs7spMCukVa_lVW7j-GYmG6j5CZK7kxx76wyxpb/pub
87. https://docs.google.com/document/d/e/2PACX-1vSoRqRyj45G1sCdqZn49cJ8zJuiw2HvmlecY30nzA5wHnFj_sTKClwRi0Pcbm-A7Lh0_8RGLkh62h-w/pub
88. https://docs.google.com/document/d/e/2PACX-1vSsL7wQuXd39m6d4U4C87z-CVVaLsACqABFjHseikQb0fq50kPYaPBzDulNdZ9OQeB0X4ABy9dc_XJE/pub
89. https://docs.google.com/document/d/e/2PACX-1vSW1SrrfmHVJJWpBHQVOuxZ7_3EbB04ZeLqpNzbQ1mzPdsMVE84hdnmrMqIVQZv6v-egyhjXnTxRKx0/pub
90. https://docs.google.com/document/d/e/2PACX-1vT4g2hEusOnqVNb_JFPlt7KaVDfXZUq1u45u-D9G8_9cQQeFzN3lEEJa4qkEMxk4kJDpf6soFeNHpRl/pub
91. https://docs.google.com/document/d/e/2PACX-1vT5iGOsBOEBtMCYGlSWbssF5_k0oNWEo3mYedgslb-f2gYp9RPTxw6Ea9H-LR6JG_NLZiZUPqD6UtCD/pub
92. https://docs.google.com/document/d/e/2PACX-1vT7fCmjPEPd-lESwxPH_P8jutZ5vbMoWjc0JzRYgnznUFRjyCRig5kYvfVcxNbYzXQMAcMJ6uWbUYeI/pub
93. https://docs.google.com/document/d/e/2PACX-1vT8-GM2tO_xIthlHp_ABTfLtrI0_JJ70h9YLtK7AIvCEYstgVT70fpDIlk3eSfF8UuUDJsWdry1jjJi/pub
94. https://docs.google.com/document/d/e/2PACX-1vTCwemExI8Wun8Owr_-8J6_9OMbRCb5A4qEwV7NpL0kFauv5kG2hUeY2VMtfE20N7yGAHM3LmYSEZfx/pub
95. https://docs.google.com/document/d/e/2PACX-1vTeuoIoiutOLS-7xwlYjfCDiruQU1935mWBILfpPnbC-uUN1FqniFlpiEO6zgq-SbVhg-rdBedNqdk4/pub
96. https://docs.google.com/document/d/e/2PACX-1vTgZip7wss3mTkGhAmm4CTxAAHjwR69vRcINYtHphUS9Ij_V90G_PnGftI34P__AEj3XpDrDd4tH_86/pub
97. https://docs.google.com/document/d/e/2PACX-1vTRxyo0MIEfdl-HxdGOZoOrsz_eFY152ZYNg1qLf__0OLQPciCOM0Fzsyat77UUbWdOeVzAKK8zetRG/pub
98. https://docs.google.com/document/d/e/2PACX-1vTVfQCo8JHjwwRco2PmMskEYdGogeEKdf5krbC807iHDvlNB63hVIvtEmHHwhiMssxv5VYwgMuvyz_9/pub
99.  
100. MALDOC DISTRIBUTION URLS
101. http://adahomemodifications.com/fuss.php
102. http://brasilk.com.br/clavichord.php
103. http://brasilk.com.br/flagstone.php
104. http://dev.springbreaklife.com/tour/content/021815_redneck_twerk_contest_D021815/incontinence.php
105. http://gurshanlogistics.com/cell.php
106. http://gurshanlogistics.com/perpetualness.php
107. http://nicole-emer.de/potential.php
108. https://cld.org.uk/illiquid.php
109. https://clientes.gestionmx.net/adrenalin.php
110. https://codesterio.com/consumption.php
111. https://hinchcliff.net/sodomous.php
112. https://iastoppersmantra.com/smoothness.php
113. https://info.smabajiminasa.sch.id/aggrandizements.php
114. https://lhagen.gc-webhosting.nl/inconclusive.php
115. https://socialpromotion.store/compile.php
116. https://tnk-moflad.com/urinalysis.php
117. https://tosunotomotiv.com/modularity.php
118. https://viveroscamila.cl/aromatic.php
119. https://viveroscamila.cl/redlining.php
120. https://www.upperkillaycc.org.uk/effortless.php
121. https://www.upperkillaycc.org.uk/haze.php
122. http://www.e-voks.dk/sternness.php
123. http://www.korean.britishwebsite.co.uk/whiner.php
124. http://xcx.yngw518.com/decompiling.php
125.  
126. adahomemodifications.com
127. brasilk.com.br
128. britishwebsite.co.uk
129. cld.org.uk
130. codesterio.com
131. e-voks.dk
132. gc-webhosting.nl
133. gestionmx.net
134. gurshanlogistics.com
135. hinchcliff.net
136. iastoppersmantra.com
137. nicole-emer.de
138. smabajiminasa.sch.id
139. socialpromotion.store
140. springbreaklife.com
141. tnk-moflad.com
142. tosunotomotiv.com
143. upperkillaycc.org.uk
144. viveroscamila.cl
145. yngw518.com
146.  
147. HANCITOR MALDOC FILE HASHES
148. 15a514bc4f62e69621db05c53795556a
149. 1af72e23a6bc30e94301967c3e7ddcec
150. 3a4e93f653c82aacf031fb2e01de5fdd
151. 524b67bf31df7a419244b557c9cc1880
152. 6b3a4cc1a7a043b03f07479d0d4277a7
153. 6ba1d83193d10c81fc9b5da3012ad536
154. 954f3c934d66f2b4fc9d7abc1bc9859b
155. a5e5c6fb6d6841c76a4b56c03f8829e1
156. a9935d640eb94a9bd2b39e5ea75f7ddf
157. bc75340f261f64961382b578715701a0
158. eb9c78470651236a57ace28437f16a5c
159.  
160. HANCITOR PAYLOAD FILE HASH
161. edge.dll
162. 8089b3d619192f3c2785265d69f1fa09
163.  
164. HANCITOR C2
165. http://erisastand.com/8/forum.php
166. http://trimpledtim.ru/8/forum.php
167. http://balcatioplo.ru/8/forum.php
168.  
169. HANCITOR BUILD NUMBER
170. &BUILD=1904_hvm
171.  
172. COBALT STRIKE STAGER FILE PAYLOAD URLS
173. http://masaddrino.ru/1904.bin
174. http://masaddrino.ru/190s4.bin
175. http://masaddrino.ru/1904s.bin
176.  
177. COBALT STRIKE STAGER FILE HASHES
178. 1904.bin
179. cc7cbd182d4d51964a06fb19022f9393
180.  
181. 1904s.bin
182. f3aa95ecf88591f8f74b2fa2b2014bb5
183.  
184. COBALT STRIKE BEACON
185. http://82.117.252.78/zGi2
186.  
187. COBALT STRIKE C2
188. http://82.117.252.78/load