2021-02-24 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR/COBALT STRIKE
2.  
3. HANCITOR BUILD
4. BUILD=2202_pro23
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got notification from DocuSign Electronic Service
11. You got notification from DocuSign Electronic Signature Service
12. You received invoice from DocuSign Electronic Service
13. You received invoice from DocuSign Electronic Signature Service
14. You received invoice from DocuSign Service
15. You received invoice from DocuSign Signature Service
16. You received notification from DocuSign Electronic Service
17. You received notification from DocuSign Electronic Signature Service
18. You received notification from DocuSign Service
19. You received notification from DocuSign Signature Service
20.  
21. SENDERS OBSERVED
22. aewiy@alumaicelodges.fish
23. b@alumaicelodges.fish
24. bodogov@alumaicelodges.fish
25. bojia@alumaicelodges.fish
26. eu@alumaicelodges.fish
27. ev@alumaicelodges.fish
28. fuge@alumaicelodges.fish
29. gpu@alumaicelodges.fish
30. iuy@alumaicelodges.fish
31. keroin@alumaicelodges.fish
32. ko@alumaicelodges.fish
33. mdeoia@alumaicelodges.fish
34. ncwof@alumaicelodges.fish
35. ocava@alumaicelodges.fish
36. oiobelp@alumaicelodges.fish
37. pargo@alumaicelodges.fish
38. petukw@alumaicelodges.fish
39. ricuqha@alumaicelodges.fish
40. sipap@alumaicelodges.fish
41. ssoetpu@alumaicelodges.fish
42. wyvuluu@alumaicelodges.fish
43. x@alumaicelodges.fish
44. xuh@alumaicelodges.fish
45. y@alumaicelodges.fish
46. yfeugaa@alumaicelodges.fish
47.  
48. MALDOC LANDING PAGE URLS
49. https://docs.google.com/document/d/e/2PACX-1vQ-kB0pTgXW9aDcoXDm73pnXJW12BXlXmzDbH16Bh02J-D8MhY1t1gjUHDWJgeDQzeXpK2ir%0D%0AVfWgQwS/pub
50. https://docs.google.com/document/d/e/2PACX-1vQ-kB0pTgXW9aDcoXDm73pnXJW12BXlXmzDbH16Bh02J-D8MhY1t1gjUHDWJgeDQzeXpK2irVfWgQwS/pub
51. https://docs.google.com/document/d/e/2PACX-1vQhk2dTUsn1I41OFP8QPTIYcmflDlKErIOp96UDEm0tDTT3qZTw3Q_B8PvM5Z3H-2GUWiERedP4VlqU/pub
52. https://docs.google.com/document/d/e/2PACX-1vQJlu5STJtCFkssoYeMckSsWBXVhnW_sbzIPaJfmdjiOI0B1LZaBAwLZr2tU1kCFVXCryNVrSpX4Oew/pub
53. https://docs.google.com/document/d/e/2PACX-1vQn1DfgT8rTmSaaNetjbjU505TgGl7akc1Mt0EQ_J70HYk5QDLGF2nMkUIP1OrtgfgDJgosFNbS1b71/pub
54. https://docs.google.com/document/d/e/2PACX-1vQndzD1pKK3mH1C9LShtNfTodGyj4_aQPsimMZ6EWYv9nf6IYV7u9CfcIDvqWMrzn425TJ4vqYN5fIQ/pub
55. https://docs.google.com/document/d/e/2PACX-1vQoO0GQS_2ltzFw2DXfiPyCHOWjBirGjXckDzf5lLXaTRgYcAKItRD4ZqeL_goC961Uftgg4O_se6Jw/pub
56. https://docs.google.com/document/d/e/2PACX-1vQvVyzerCm9gPrZ8tTNIxzijTjoi5MmwOxH-6TxpaQ-EB3qj3FZHnGPkycQxkXTUdmIOZ0XIKL6XZ27/pub
57. https://docs.google.com/document/d/e/2PACX-1vQxc-pnE2--2ciDgpxLiochx8oUne6Hur1nOVfSM3YsynjZfjGiz438RKIAB8KL5WHdsWB3iCuTXO_a/pub
58. https://docs.google.com/document/d/e/2PACX-1vQxKwvwSAWhAkvnQzMABCq9kH-MFU8V47stOB17jeH656npDb6kHE1GnkYGvClFHWkFxjDThdPSJ-1Y/pub
59. https://docs.google.com/document/d/e/2PACX-1vR-GAhXP_ci-XbcR4a_Lmdv7LvLB9pZrBuHPTn0YegUP_vXEy6vTui0252HZszzt34prdA4Rq3AizcO/pub
60. https://docs.google.com/document/d/e/2PACX-1vRkGh57W7XLlVmpS9oYu2xtCbNU98PZjpychf-S0Dxj-1GwD2zXBZ2zGf0pKHcebbVIJcqjlIKS9QwQ/pub
61. https://docs.google.com/document/d/e/2PACX-1vRl80zy0A3aL_iaFggZBnvm3KNJTPN3cbWotijrsLtTGC-7J1A5vLGaQYxNlfz24mMN28OQrwNpA1sf/pub
62. https://docs.google.com/document/d/e/2PACX-1vRWjbhZLf6oGbMmllL7IHZtPW0ZWoS7Mcqbq9hbyl3qJtjWQ5SNuXJBlHWuJBRIVeRbI10XIhqIvKUf/pub
63. https://docs.google.com/document/d/e/2PACX-1vS2Qk-2EEEfPUJmoOy8C334NmhI7Tkh04qE__0P6dS9NAOrbqxHthbWozvRFmCG5OhlU-ijh%0D%0AUTlLDyD/pub
64. https://docs.google.com/document/d/e/2PACX-1vS2Qk-2EEEfPUJmoOy8C334NmhI7Tkh04qE__0P6dS9NAOrbqxHthbWozvRFmCG5OhlU-ijhUTlLDyD/pub
65. https://docs.google.com/document/d/e/2PACX-1vSJL-ReLTfXaDAuI_qWvs3KZgma5yFEOyaG5Xk9e5r979b6UrUz65qTof9nCjAjo4Xi6Cjl3hnFZ6tV/pub
66. https://docs.google.com/document/d/e/2PACX-1vSnG1JefaqYebfMBE8HqaI7nSON9e4DIWgbPTYpqLQjgAtPOrK17vGObrX8p_uw61LkCvmtGCkbeP_6/pub
67. https://docs.google.com/document/d/e/2PACX-1vSq-o4asEvEMoAZjxGcOjlRpYcK2gNtWhQxrVusiEiDcErWiRiFft24Mb-j5Ava_kGN4RlqobiUhoNY/pub
68. https://docs.google.com/document/d/e/2PACX-1vSVoDn0Yp6ntsSJiTp8xTCiNTTQqd8cPcpi6sN1HUBW1vzyyB1OluEARsyUu7BI5BdwZDFQCnlYIhOm/pub
69. https://docs.google.com/document/d/e/2PACX-1vTfZE4VnQh0Ey67V8BIqD45WJLIn9BVccYNLsoh1Q9AU4Vxhb971lH0A0j5TprNsRHbEv9uVVJYWIS-/pub
70. https://docs.google.com/document/d/e/2PACX-1vTOBi7axXJdNhUUkkhu9S5a6kzb5fEl4ANiixpL5f_GxuhI7bnCZs5eKCfs24SdxUJWSU9wlH4vXXyR/pub
71. https://docs.google.com/document/d/e/2PACX-1vTwA01MsfMYDOXyDL6YFq5x6Nx_YhEFt71woCUOjnbc0zG_kJ1aX3rWUSuRHzYMXXz-AiySPvjxVhQu/pub
72.  
73. HANCITOR MALDOC FILE HASHES
74. 0f9d6b4a97ee723a947975a9e4622387
75. 1fabc8013d27b1362e630565ddb409a7
76. 2713b4cb39db07ed5348dc08948ab793
77. 35603615b1fa809f232d5689c73ab1e8
78. 5f0a01249f5ba11cf851277102072bf2
79. 814a568251f8505ec9a4aa07d8ac978c
80. 8d87baec7970c1712247049ce27b3908
81. 954f05ca1c4aff1e99d6971382d4cd2c
82. 978da89000abd1dccabac234cb6d7033
83. a6229985bf46c42ccac6f6000c98ea89
84. b6ede47bc6f6d0585ae4f49b05a1bcbd
85.  
86. MALDOC DISTRIBUTION URLS
87. https://4spoiltboyz.co.za/overdid.php
88. https://4spoiltboyz.co.za/southwestward.php
89. https://hortodovalqueire.com.br/boric.php
90. https://hortodovalqueire.com.br/fanfold.php
91. https://jayins.com/configuration.php
92. https://maxusglobalsolutions.com/alkyl.php
93. https://maxusglobalsolutions.com/siderurgy.php
94. https://maxusglobalsolutions.com/unsolder.php
95. https://platinumherring.com/projects/TowerDefense/images/listing.php
96. https://platinumherring.com/projects/TowerDefense/images/unfamiliarly.php
97. https://registration.realestatehours.com/assets/plugins/jquery-file-upload/server/php/files/demilitarization.php
98. https://social.powerpc.in/redefinition.php
99. https://ubialergenos.es/timbering.php
100.  
101. 4spoiltboyz.co.za
102. hortodovalqueire.com.br
103. jayins.com
104. maxusglobalsolutions.com
105. platinumherring.com
106. registration.realestatehours.com
107. social.powerpc.in
108. ubialergenos.es
109.  
110. Redirect phishing page
111. https://xn--xpss53-cib19nl66k.com/
112.  
113. HANCITOR PAYLOAD FILE HASH
114. Static.dll
115. 2b9c1cd4be01ed10b60b65a03c0be683
116.  
117. HANCITOR C2
118. http://aftereand.com/8/forum.php
119. http://nevemicies.ru/8/forum.php
120. http://froplivernat.ru/8/forum.php
121.  
122. FICKER STEALER PAYLOAD URLS
123. http://sromecorlduce.ru/6sfsgfsgqwert.exe
124.  
125. FICKER STEALER FILE HASH
126. 6sfsgfsgqwert.exe
127. 77be0dd6570301acac3634801676b5d7
128.  
129. FICKER STEALER C2
130. http://sweyblidian.com
131.  
132. COBALT STRIKE PAYLOAD URLS
133. http://sromecorlduce.ru/2402s.bin
134. http://sromecorlduce.ru/2402.bin
135.  
136. COBALT STRIKE FILE HASHES
137. 2402s.bin
138. dc57675fab5881647a04df79f0b44046
139.  
140. 2402.bin
141. 70521e49ebd77ab3667f03dafcaa34c8
142.  
143. COBALT STRIKE TRAFFIC
144. http://193.160.32.60/5bLy
145. http://193.160.32.60/fwlink
146. http://193.160.32.60/submit.php?id=1006340648
147. https://193.160.32.60