2021-05-19 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=1705_wxa09
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You got notification from DocuSign Service
14. You got notification from DocuSign Signature Service
15. You received invoice from DocuSign Electronic Service
16. You received invoice from DocuSign Electronic Signature Service
17. You received invoice from DocuSign Service
18. You received invoice from DocuSign Signature Service
19. You received notification from DocuSign Electronic Service
20. You received notification from DocuSign Electronic Signature Service
21. You received notification from DocuSign Service
22. You received notification from DocuSign Signature Service
23.  
24. SENDERS OBSERVED
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63. [email protected]
64. [email protected]
65. [email protected]
66. [email protected]
67. [email protected]
68. [email protected]
69. [email protected]
70. [email protected]
71. [email protected]
72. [email protected]
73. [email protected]
74. [email protected]
75. [email protected]
76. [email protected]
77. [email protected]
78. [email protected]
79. [email protected]
80. [email protected]
81. [email protected]
82.  
83. MALDOC LANDING PAGE URLS
84. https://docs.google.com/document/d/e/2PACX-1vQ0TLLEFuO9ISzjDXZotVTGfv4sbveHtVhXkvsi9ZEGiqcrWBHSuXDP8NsGJY1G9mkWEfB2UYCevF_O/pub
85. https://docs.google.com/document/d/e/2PACX-1vQ2UKWaL7EKrDoHZyJGBj8rGayreGR2hTcT-7Hu1yl4_PIqnMUl2PwG8xQrwI7b4LF9hyermOEg9cqS/pub
86. https://docs.google.com/document/d/e/2PACX-1vQ2Zy968bOJb5RzxMtdSuJ8thAhJnvCrA9ZmtwvmbtafvIDSfdjM4MgJzQKm0itAr9zLasbloHNMYc3/pub
87. https://docs.google.com/document/d/e/2PACX-1vQ_Y_exoM2L8M_943zP53ReRkrxaiew2aeuxywgHQJW8v1rMLMD1-P-fv63OpbEPnJsgnoCSs5JzP5k/pub
88. https://docs.google.com/document/d/e/2PACX-1vQA6WNAlIqJMk1OppsVVBLNUHKI8SsSKlW3iBi9gTUjl4SI4EFa2bpne9BoZoXB5JGYnJQ0ge3UzG5l/pub
89. https://docs.google.com/document/d/e/2PACX-1vQcywiwTq_2aaK04wUSh3cXl5nBAUa9SRU3LvklVJSNfzkfrKvnYkrO3o4mX9ojV4eufRUwdJQgDyIy/pub
90. https://docs.google.com/document/d/e/2PACX-1vQj0nfZR9x9AT1OKrusd3Ztc7dz9YFMg4_07ZHhHRb6DuNXWK2nfwuaF-K4P96e_qBIDO31jT3cuRbf/pub
91. https://docs.google.com/document/d/e/2PACX-1vQLNSIrG6cPA9lbbnlaFw8Jl2Wyap2M3oTrkQCzp_3uWko6pHQMcawhSwaoOWUJwV2vET4x0PebEMOT/pub
92. https://docs.google.com/document/d/e/2PACX-1vQLOlmlWKzxFw-j3V2nkLuihCaoafWA99wYI56g_vPdyxns6204E6dCZqLmMIu9XTg5RprXbEAKD-E5/pub
93. https://docs.google.com/document/d/e/2PACX-1vQp5JKRo_zpPUlurBVzLTgUX2LaicxjaTbgAfu362OQx1j2J7-bnBFDsK6SKB474UwrVJGK7j_sfm2F/pub
94. https://docs.google.com/document/d/e/2PACX-1vQTr4l9d4MGNTVdembv2TGwKHiffLQVOGTycLOt0UmoKLE7v2Eq_r3tnmO8nXlSdq2QI1aTMav53KrZ/pub
95. https://docs.google.com/document/d/e/2PACX-1vQYsMJGcPkkgdA-0pf5Lmfbz0G-lCZu65YBm1qsZLzI095aaglbLXoGUYt_uewBIcSZAFfyIUXa1_uN/pub
96. https://docs.google.com/document/d/e/2PACX-1vR268RrTNABShdrXH2d9llIjpaqTjFmVgtDd0AXxc1D1FSDJleR1wPA0t4gAYF3q-F4WZKOX4CdD3XI/pub
97. https://docs.google.com/document/d/e/2PACX-1vR4nyHYoqFjQiDJKGincwGdjhCKNEiy9_NaQlX4lmyEl-8cKqV_fbMXzlAD2L_Xp1R7Rl5URDLrDKdX/pub
98. https://docs.google.com/document/d/e/2PACX-1vR4UXQwOdEMAekIPXnSSj2W722h-Hawrt60hfR--AW0nsFXwd_4XVvh3YLhEkMiMhw91uQyF_DdmRnq/pub
99. https://docs.google.com/document/d/e/2PACX-1vRC-xLTozrWeFkkhojbJ-vXhoTIFyf0chX0H3_2_RFpFAiVgxF_KAFuNw6YNdhX2WFmnErsuMmNfoO3/pub
100. https://docs.google.com/document/d/e/2PACX-1vRO5W_fWtKKVUTeEeVAK0Ct9JiwJ6XBgayrIQpS9sDzyG9Os5pa27dRfmepNcf8jDOP7DT-3nIXwqXb/pub
101. https://docs.google.com/document/d/e/2PACX-1vRpjW3pdm9SD-3VfP_-Jcod49yqVsf1rvYkiHy26vgfEPRpT1ZbhE7gmdRYborc-tixcVteziElmd7Z/pub
102. https://docs.google.com/document/d/e/2PACX-1vS0awhegyCBsTC1UZfFLcwKc8lruxskRnzo_iYIcXQv7o9k_Nap8xnE0K_lgStcdSa69FzrLM32uEIW/pub
103. https://docs.google.com/document/d/e/2PACX-1vSb-jtmi9SdRshGq_L0kpV6zajdYpU8V-m4uxdDJRlGu2xn-SPlx8-5cWnRJU6t1iVPmaB_lcNWC4S4/pub
104. https://docs.google.com/document/d/e/2PACX-1vSBFNeewgAJ2toYGUOkEEYWvdtdYdCpHw8QvzRL_qCAhctxRMWq5ddkVha4uf6Q7nxMO4TfH4N688Ez/pub
105. https://docs.google.com/document/d/e/2PACX-1vSBMWaXvSoDXXzyTLLVF9LRbezmFSV5dj0gpmpRW7r8SoLO5-xT02H663fOLFRLgaTYZGisdhDEGZsQ/pub
106. https://docs.google.com/document/d/e/2PACX-1vSfdbvyOxK28ixhNSChLISA3JosJ0llzILpgVTrrg5X07y7OYkTEojOYCy5mMdNcEuBDYC0_URnW9ZC/pub
107. https://docs.google.com/document/d/e/2PACX-1vSfiXdlfFw4SV0FbNvSDQ9xuv-VFbTdA9CIpdi5IxgeJQLFyaFn8_SxAQra7_EJiNbGk9pYwqBTYDn7/pub
108. https://docs.google.com/document/d/e/2PACX-1vSmPraEIKa3mvFl6NTbliOaEQehObJeTNyY4asByRbtr6VK0Rjd8lXX92mFR0ZconRHYvMBHMxCfSkZ/pub
109. https://docs.google.com/document/d/e/2PACX-1vSO98H5WzfzWzJamPB3wbrhHZoYGH8wODU4lj6R0MiFd0fJ7JcBiNbmNcpBgu-SQ54L6UFylZFWv4KO/pub
110. https://docs.google.com/document/d/e/2PACX-1vSpKIWMTiW2-WHTiGhxXd8U9GzQIaYARkVNKbBnszXSsLKfhz7v7xg_dbjhKpiFe6ukQQAW5O_clcDL/pub
111. https://docs.google.com/document/d/e/2PACX-1vSpyzxGNtd1cwhzuZEhl1E-f9LCJYV4JLQOuawGkA8PeF0LlTnv9eX6spq_cZpQjPDOzCF63gi5vxiw/pub
112. https://docs.google.com/document/d/e/2PACX-1vSqfwbf6Z_tdPPmZV5ix4hD20GCHpSvdDJ8HRuET50X6SrmC3bG4WvwEBe0fbITwFtHflS1drXILoui/pub
113. https://docs.google.com/document/d/e/2PACX-1vSqksSMUJawiry1oerLD0aMWjl3b5IvGJqCjNA0JoNAN9xTpsSzYMrl5eanBMkgnL8zQPmDDSS0pz72/pub
114. https://docs.google.com/document/d/e/2PACX-1vSs0-ELSWBUr4pgf0LBzpoPNyxcXFG5FMDTttWt4oBOQD4CZ0LOTMPom0gFSLSbDWjxFlF3QRfePhim/pub
115. https://docs.google.com/document/d/e/2PACX-1vSTlmNM0yZ5J6-YTNnDY1yfdRC3TQUYYMOAvBBekJVP_uRgxXuKiwZkpLPHBz8-ywx_WMzd4gaX9JcF/pub
116. https://docs.google.com/document/d/e/2PACX-1vSwbJMzRfw6iz0-HYioG1yudo9qstWZ8HyNAMNgFdGYod2QLCczHQM-do3pBdwAcgFFevyn6EKxgjVW/pub
117. https://docs.google.com/document/d/e/2PACX-1vT-OpKnNObUYY6HilaKKH7DG9ye4XKDodwotJL038V6da5iItRtCCXOrkAGA4Smma7kPlK9PLngzvGn/pub
118. https://docs.google.com/document/d/e/2PACX-1vT0RjmQ_yu_-pE9W6XkSHJ5dr9xoM1EkxSWfh-NHedfMYzpXokCu6Kxxv2c9jwJz5nKwZGdtDFWgZCB/pub
119. https://docs.google.com/document/d/e/2PACX-1vTcMYHFtOVl5OucnqLZmEBrOP8VNBSjqvaCaVnnhvkoi6MQDUNw06D9cgRKHsMu-npUEEAJlXQtd7NJ/pub
120. https://docs.google.com/document/d/e/2PACX-1vTDc4rKPao-l7SEbVIbphNX8CVdXtiTn3VcmHZi3_KHXifCUDK9jA1B1u2Ei-FgDjXHs0x64e5-QKee/pub
121. https://docs.google.com/document/d/e/2PACX-1vTmjOn0N8TW5tlS-752K-BMaryYhNEeMFbnWBQ6oKJwFW1MZa5ZxZeX75bz_Sjo43CNcq8um-qMsMsy/pub
122. https://docs.google.com/document/d/e/2PACX-1vTmNCl-bjXtx2aFgFmHMcMtZPtCQ7pjlyzc83DPV7POYySqftqmIADYoIgfY8JVHnp62Nw9Hli07j5V/pub
123. https://docs.google.com/document/d/e/2PACX-1vTtrD8xgWFicRPNfbo2Wx1_KLYM6DLDXl42GnbV890YPjcAtsWVMZWbqoTrEA16HklC4sGZyaikFJZS/pub
124.  
125. MALDOC DISTRIBUTION URLS
126. http://swsgroup.sws-group.net/sparing.php
127. http://toomix.net/assumptively.php
128. http://www.comitato-antimafia-lt.org/retailer.php
129. https://anghighschool.smsoft.in/knotty.php
130. https://anghighschool.smsoft.in/swish.php
131. https://angprimary.smsoft.in/dance.php
132. https://biepformations.com/centre.php
133. https://biepformations.com/jim.php
134. https://biepformations.com/prevarication.php
135. https://binafif-est.com.sa/abroad.php
136. https://demo.hmsmicroex.uproducts.in/exhume.php
137. https://demo.hrms.uproducts.in/smooching.php
138. https://graphixbird.com/file.php
139. https://graphixbird.com/street.php
140.  
141. biepformations.com
142. binafif-est.com.sa
143. comitato-antimafia-lt.org
144. graphixbird.com
145. smsoft.in
146. sws-group.net
147. toomix.net
148. uproducts.in
149.  
150. HANCITOR MALDOC FILE HASHES
151. 340340140e69364e0c9beae5aa419ea6
152. 35f8a4449b03196e9101d5de75daf2c2
153. 42924a42021e8b97dce7ccc9b6531cd7
154. 4680281474f5c31c4161ea107032b297
155. 482daffc94ae246cc9e69cf02baa2461
156. 4d0bfbb8b9d68d1304ab5551672e3eb7
157. 6d46c3770504e45b654239589ae612a7
158. 78644d79eeead45c882d488295c28267
159. 8df3163cb32bf016e42e3f5c11e78b93
160. ace4c73a74714b6570d5632750e8a71c
161. b8e6c04f93b3e5f21a89a0097c7e4230
162. d635abb1dd586a2a6c7071fd85efcb75
163. e37467ec610be9cef88b6e4ad5b90ead
164.  
165. HANCITOR PAYLOAD FILE HASH
166. zs.z
167. 52fceae26c334287953821b7a8b8f473
168.  
169. HANCITOR C2
170. http://hrowedinizoin.ru/8/forum.php
171. http://lowermuccon.ru/8/forum.php
172. http://thotainizent.com/8/forum.php
173.  
174. FICKER STEALER PAYLOAD URL
175. http://traverso.ru/6jkdfijsd.exe
176.  
177. FICKER STEALER FILE HASH
178. 6jkdfijsd.exe
179. 77be0dd6570301acac3634801676b5d7
180.  
181. FICKER STEALER C2
182. http://sweyblidian.com
183.