API tools faq
paste
ExecuteMalware

2020-10-20 Hancitor IOCs

ExecuteMalware
Oct 20th, 2020
3,286
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.96 KB | None | 0 0
raw download clone embed print report
  1. THREAT ATTRIBUTION: HANCITOR
  2.  
  3. SUBJECTS OBSERVED
  4. You got invoice from DocuSign Signature Service
  5. You got notification from DocuSign Electronic Service
  6. You received invoice from DocuSign Electronic Signature Service
  7. You received notification from DocuSign Electronic Signature Service
  8. You received notification from DocuSign Service
  9.  
  10. SENDERS OBSERVED
  11. cwne@volunteerslawsuit.com
  12. lezau@volunteerslawsuit.com
  13. nauyk@volunteerslawsuit.com
  14. zopwy@volunteerslawsuit.com
  15. zycykcu@volunteerslawsuit.com
  16.  
  17. MALDOC LANDING PAGE URLS
  18. https://docs.google.com/document/d/e/2PACX-1vQ2_QVmL13WvuV9TNRBqBBaTPYsdyx-Nz2nLaM9EojKtNRjitS2nmk2bx_KbEaYOjcS085HxdnBj_zb/pub
  19. https://docs.google.com/document/d/e/2PACX-1vQhndfOxhPD3jQQ73J8KxppCdzOAKRo4ObwzsBiC8GfFjhPbEw_16_StST_5HZUPkC4kAttI%0D%0AbFPHJ8o/pub
  20. https://docs.google.com/document/d/e/2PACX-1vQhndfOxhPD3jQQ73J8KxppCdzOAKRo4ObwzsBiC8GfFjhPbEw_16_StST_5HZUPkC4kAttIbFPHJ8o/pub
  21. https://docs.google.com/document/d/e/2PACX-1vR4nGUu16IcLQooUvA0UiWDSGdFZr0w-FizWVaAC0hE5LLRMk7fvEGV0Rpk35LvWxF-9z5elns6G4nf/pub
  22. https://docs.google.com/document/d/e/2PACX-1vTXyLPCBwzVDJyFIjQq6tJyn2PKAfe261LdpiIaFjD1oMM3G893avJgxtqYeRSuBKNISaf0MO3GPQhu/pub
  23.  
  24. MALDOC DISTRIBUTION URLS
  25. http://dieeulenklasse.com/pack.php
  26. http://owlmarketingexcellence.com/dismiss.php
  27.  
  28. I couldn't retrieve the actual download url for the .xlsb file.
  29.  
  30. 10_20_report.xlsb
  31. 28ab25f8f1addbd3c9a93d156e7407b1
  32.  
  33. HANCITOR DOWNLOAD URLS
  34. http://marspetcarelawsuit.com/xls.png
  35.  
  36. HANCITOR PAYLOAD FILE HASH
  37. xls.png
  38. 83ba2586ea176dfb069ec4bf49439d94
  39.  
  40. HANCITOR C2
  41. http://stylefersan.com/7/forum.php
  42.  
  43. SECONDARY PAYLOAD
  44. http://nepbag.com/f3.exe
  45.  
  46. f3.exe
  47. c9917fd15fed108ad9d6ee548dd2e4c1
  48.  
  49. UNKNOWN C2
  50. functionalrejh.com
  51.  
  52. SUPPORTING EVIDENCE
  53. https://bazaar.abuse.ch/browse.php?search=83ba2586ea176dfb069ec4bf49439d94
  54. https://www.virustotal.com/gui/file/dc7f971af6d534662501decd86d0cb8d58392149a0cf06a236f6aec2490808aa/detection
  55. https://app.any.run/tasks/0df02d87-76ef-4bc1-813b-45d974b5b517/
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!