2020-12-02 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2. BUILD=0212_78434
3.  
4. SUBJECTS OBSERVED
5. You got invoice from DocuSign Electronic Signature Service
6. You got notification from DocuSign Electronic Service
7. You got notification from DocuSign Service
8. You received invoice from DocuSign Service
9. You received invoice from DocuSign Signature Service
10. You received notification from DocuSign Electronic Signature Service
11. You received notification from DocuSign Service
12. You received notification from DocuSign Service
13. You received notification from DocuSign Signature Service
14. You received notification from DocuSign Signature Service
15.  
16. SENDERS OBSERVED
17. b@frankstaropoli.com
18. erppe@frankstaropoli.com
19. ivtobye@frankstaropoli.com
20. lbi@frankstaropoli.com
21. lcyaz@frankstaropoli.com
22. poythit@frankstaropoli.com
23. se@frankstaropoli.com
24. wilaxxa@frankstaropoli.com
25. wuz@frankstaropoli.com
26.  
27. MALDOC LANDING PAGE URLS
28. https://docs.google.com/document/d/e/2PACX-1vQ31EQhZEjBM0nN1BN_ZIP5ZdSd5nYuFCqWF6oawVKcy4Wr-ATcHYbkmNdb5sbtG58_NoRWiDAYp-KM/pub
29. https://docs.google.com/document/d/e/2PACX-1vR9rFM8j9JxE9THLI4OPOb9ofR4pviNEn3vn32MJfEX3ZuWZ1lXNWHMIIGuV290s8MHTyba9Ohax0qr/pub
30. https://docs.google.com/document/d/e/2PACX-1vRQjnGJOLwC0cJOlX-m5suMujGx9U_07bM3te-x_CoFDRyqWSKN-my6FVbCnigL3D4SXEEjUP-p1mv4/pub
31. https://docs.google.com/document/d/e/2PACX-1vS0jpGfngL3b9Qzh4uUYwNccHZIZMALTZhqX1UOXPToeCgrgwGndQxAHCh5yM26GLdN4B1vLsXanIiM/pub
32. https://docs.google.com/document/d/e/2PACX-1vSLAiGV4xZ1f6NrIZYCJH42h929DjAlZE9A4EOfXxVGy7KA58Fx2TZHuaZIwgJmEs6juz4BwTPT3Cey/pub
33. https://docs.google.com/document/d/e/2PACX-1vSS4h591AuuBq3IBzTMRvp0oyWYQ6k2aKmJaAvxjKEMivN4lzi4OOGOXuNKMu9SOESp4BqS-h0raeei/pub
34. https://docs.google.com/document/d/e/2PACX-1vSuoaxE4p99-g4llV7DhceIEpfuQlv6GaIbUakCVkaOUAMzWRNKmS9tiR6nmjpVrV7VGvbe7UKgjw0T/pub
35. https://docs.google.com/document/d/e/2PACX-1vTwiyXWXNze_MffgDAP8qq_RVnWbPYyt1eRixaqfioTFf-fXeRqsSQSQ69uPNnVnOR2QIoZHbFfhfSj/pub
36.  
37. HANCITOR MALDOC DOWNLOAD URLS
38. https://licambala.in/allergic.php
39. https://newmaq.cl/lid.php
40. https://airborne.pro/clamorous.php
41. https://caamitrjain.com/shakes.php
42. https://irchemicals.com/indent.php
43. http://playground.digitalnoirtest.net.au/rosemary.php
44. https://osciperj.org.br/limelight.php
45. http://playground.digitalnoirtest.net.au/attention.php
46.  
47. airborne.pro
48. caamitrjain.com
49. digitalnoirtest.net.au
50. irchemicals.com
51. licambala.in
52. newmaq.cl
53. osciperj.org.br
54.  
55. HANCITOR MALDOC FILE HASHES
56. 1202_4735106192.doc
57. 7663c34a4c2a5c1900c0cc85e08712f7
58.  
59. HANCITOR PAYLOAD FILE HASHES
60. W0rd.dll
61. a6a402c2998b0ae62842f88303715169
62.  
63. HANCITOR C2
64. http://behelzho.ru/8/forum.php
65. http://eaussill.com/8/forum.php
66. http://hossangerts.ru/8/forum.php