Oct 3, 2017 Hancitor fake Ring Central phish IOCs

1. Hancitor Oct 3, 2017 fake Ring Central fax
2. From: ringcentral@servicemasterqr.com and ringcentral@cisonic.com
3. Subject: New incoming fax from xxx-xxx-xxx
4. Downloaded document name: fax_299407.doc
5. Document SHA256: 435c0c15f9fde201c221cdd60c25843230b0be00c5e84c35a23b2482d95e4d78
6.  
7. Phishing URLs
8. capstratconsulting.info
9. capstratconsulting.net
10. capstratconsulting.org
11. capstratconsulting.us
12. codepalpreplanviewer.info
13. codepalpreplanviewer.net
14. codepalpreplanviewer.org
15. codepaltoolkitxa.com
16. codepaltoolkitxa.info
17. codepaltoolkitxa.net
18. codepaltoolkitxa.org
19. codepalxa.com
20. codepalxa.info
21. codepalxa.net
22. codepalxa.us
23. gcpumpparts.com
24. gcpumpparts.net
25. golfpumpparts.com
26. golfpumpparts.net
27. golfstationparts.com
28. golfstationparts.net
29. golfstationpumpparts.com
30. waterbornepumps.net
31.  
32. C2 Domains
33. http://idsurinle.com/ls5/forum.php
34. http://higocoeveng.ru/ls5/forum.php
35. http://gauldtigot.ru/ls5/forum.php
36.  
37. Malware Delivery links
38. http://totalmss.co.za/wp-content/plugins/really-simple-captcha/3
39. http://bodyco.ru/wp-content/plugins/category-seo-meta-tags/3
40. http://christiangans.de/wp-content/plugins/simple-facebook-comments-for-wordpress/3
41. http://odeonradio.nl/wp-content/plugins/sm-facebook-comments/3
42. http://blog.thegemden.com.au/wp-content/plugins/wp-slimbox2/3
43. http://marok.info/core/functions/3
44.  
45. File1 SHA256: c22a81ab297a5b1aff4bb7a7616726d4286a7aeee654de5ffd870a1760c297bc
46. File2 SHA256: 161b534092bc58f9745e772e6ff59b84555af729d335bb98b9062c29fbdb407a
47. File3 SHA256: 95597e97cb9ce10e99ae71a637d08e58c640628f759e07fde77f407b65d18245