API tools faq
paste
ExecuteMalware

2021-07-12 Hancitor IOCs

ExecuteMalware
Jul 12th, 2021
16,163
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.59 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
  2.  
  3. HANCITOR BUILD NUMBER
  4. BUILD=1207_cvefop
  5.  
  6. SUBJECTS OBSERVED
  7. You got invoice from DocuSign Electronic Service
  8. You got invoice from DocuSign Electronic Signature Service
  9. You got invoice from DocuSign Service
  10. You got invoice from DocuSign Signature Service
  11. You got notification from DocuSign Electronic Signature Service
  12. You got notification from DocuSign Service
  13. You received invoice from DocuSign Electronic Service
  14. You received invoice from DocuSign Electronic Signature Service
  15. You received invoice from DocuSign Service
  16. You received invoice from DocuSign Signature Service
  17. You received notification from DocuSign Electronic Signature Service
  18. You received notification from DocuSign Service
  19. You received notification from DocuSign Signature Service
  20.  
  21. SENDERS OBSERVED
  22. [email protected]
  23. [email protected]
  24. [email protected]
  25. [email protected]
  26. [email protected]
  27. [email protected]
  28. [email protected]
  29. [email protected]
  30. [email protected]
  31. [email protected]
  32. [email protected]
  33. [email protected]
  34. [email protected]
  35. [email protected]
  36. [email protected]
  37. [email protected]
  38. [email protected]
  39. [email protected]
  40. [email protected]
  41. [email protected]
  42. [email protected]
  43. [email protected]
  44. [email protected]
  45. [email protected]
  46. [email protected]
  47. [email protected]
  48. [email protected]
  49. [email protected]
  50. [email protected]
  51. [email protected]
  52. [email protected]
  53. [email protected]
  54.  
  55. MALDOC PROXY DISTRIBUTION URLS
  56. http://feedproxy.google.com/~r/aiaaf/~3/pkLXnPHczRw/trackball.php
  57. http://feedproxy.google.com/~r/bhsuiuydhd/~3/zCultSWm5Rk/unequal.php
  58. http://feedproxy.google.com/~r/covpcktopt/~3/GmwkNzndgV4/incur.php
  59. http://feedproxy.google.com/~r/cuywjhi/~3/qOJn90FYfqE/ambitiously.php
  60. http://feedproxy.google.com/~r/cxtyhak/~3/GXOZgFJrjWg/accrual.php
  61. http://feedproxy.google.com/~r/datrp/~3/LE22rQ0WXuI/cornerstone.php
  62. http://feedproxy.google.com/~r/eelzda/~3/Vr7xUUfJ-1Y/truckage.php
  63. http://feedproxy.google.com/~r/jwswdkj/~3/PboyzzdLDzw/achievement.php
  64. http://feedproxy.google.com/~r/lrzayuvxcqf/~3/qbUWZ-gO0hU/bucking.php
  65. http://feedproxy.google.com/~r/mipjbaz/~3/rlONcxONhH8/usurper.php
  66. http://feedproxy.google.com/~r/msaom/~3/Iy1bR52MsZk/acquittance.php
  67. http://feedproxy.google.com/~r/ndgjimvgz/~3/46rfXdUDOlg/pollinate.php
  68. http://feedproxy.google.com/~r/nihoraokb/~3/To5n9BFqs8M/obscene.php
  69. http://feedproxy.google.com/~r/nmrygkkelcn/~3/cRNAP-4Kchk/participating.php
  70. http://feedproxy.google.com/~r/okmvgmutor/~3/ldMCg5CLbtM/splatter.php
  71. http://feedproxy.google.com/~r/qxepbiho/~3/I1LSZq1PR8s/trafficked.php
  72. http://feedproxy.google.com/~r/rltgxh/~3/0HrENsYcYg0/clasp.php
  73. http://feedproxy.google.com/~r/shtegfvmux/~3/fXYI00aksec/sticker.php
  74. http://feedproxy.google.com/~r/tjazygwa/~3/46rfXdUDOlg/pollinate.php
  75. http://feedproxy.google.com/~r/txrxnann/~3/4mLXkoFEIUA/saunterer.php
  76. http://feedproxy.google.com/~r/ufyezjtkhb/~3/sl-3zP5QZiY/vantage.php
  77. http://feedproxy.google.com/~r/uipdj/~3/Iy1bR52MsZk/acquittance.php
  78. http://feedproxy.google.com/~r/xoxpsyqiejl/~3/W9n5M-mPa60/figurehead.php
  79. http://feedproxy.google.com/~r/ycfjvipeip/~3/aC32d5FfLi8/idly.php
  80. http://feedproxy.google.com/~r/yshrbiqz/~3/9BRJIHIRL1A/jewelery.php
  81. http://feedproxy.google.com/~r/zqztw/~3/Yhw5DKajWQQ/wastefully.php
  82.  
  83. MALDOC REDIRECT DOWNLOAD URLS
  84. http://2020disposalservices.com/accrual.php
  85. http://an.nastena.lv/achievement.php
  86. http://dohastuff.com/incur.php
  87. http://dohastuff.com/truckage.php
  88. http://grecozenobi.com.ar/usurper.php
  89. http://gunsify.com/cornerstone.php
  90. http://lineacisne.cl/obscene.php
  91. http://mohammadtalks.com/vantage.php
  92. http://nocturnalpro.com/trackball.php
  93. http://odas.ubicuo.site/ambitiously.php
  94. http://odas.ubicuo.site/participating.php
  95. http://pphc.welkinfortprojects.com/unequal.php
  96. http://redessoft.com/jewelery.php
  97. http://seatranscorp.com/wastefully.php
  98. http://www.agfphx.com/clasp.php
  99. http://www.agfphx.com/figurehead.php
  100. https://affirmingyourlife.com/saunterer.php
  101. https://affirmingyourlife.com/sticker.php
  102. https://amazingholidaysmaldives.com/bucking.php
  103. https://autoscrapforcash.com/idly.php
  104. https://autoscrapforcash.com/trafficked.php
  105. https://dsmsystem.com.py/acquittance.php
  106. https://www.ivrvirtualsolutions.com/pollinate.php
  107. https://www.thebeing.com.br/splatter.php
  108.  
  109. 2020disposalservices.com
  110. affirmingyourlife.com
  111. agfphx.com
  112. amazingholidaysmaldives.com
  113. autoscrapforcash.com
  114. dohastuff.com
  115. dsmsystem.com.py
  116. grecozenobi.com.ar
  117. gunsify.com
  118. ivrvirtualsolutions.com
  119. lineacisne.cl
  120. mohammadtalks.com
  121. nastena.lv
  122. nocturnalpro.com
  123. redessoft.com
  124. seatranscorp.com
  125. thebeing.com.br
  126. ubicuo.site
  127. welkinfortprojects.com
  128.  
  129. MALDOC DOC FILE HASHES
  130. 29cc4e2bf456d2f509e6edbbe0facff6
  131. 68da25a05ddc6b1e7e04fd5fa4cf76db
  132. 799b389ea1bfd39bddc2b94d5c31c878
  133. 7ec89cb32223faef52de0f4bdb240226
  134. 93e0589ddf297fcbd925b54b371b8e8b
  135. 9f0251c4ce4353c06f2163bb3aec1013
  136. a8522da79c82b2d2264985e9d63b625a
  137. b84bb5ce6ac0d377b8849d4f826355f3
  138. bad7b7001ea2d5fc7569eb32b328674e
  139. d3891b7c3c73ebcc3a8ab48331c02914
  140. e63281e29d20950bd7d30d3ffa7d360f
  141. ef0511c9a7b701323548188e59b779bf
  142. f0f4279d94c9fae37a3deb4dab5b3e5a
  143.  
  144. HANCITOR PAYLOAD FILE HASH
  145. ier.dll
  146. 14b3976c264c2a8a2dcb06df09c7a093
  147.  
  148. HANCITOR C2
  149. http://factoothfand.ru/8/forum.php
  150. http://olinsartain.ru/8/forum.php
  151. http://trictuatiove.com/8/forum.php
  152.  
  153. FICKER STEALER DOWNLOAD URL
  154. http://pirocont70l.ru/7hjujnfds.exe
  155.  
  156. FICKER STEALER FILE HASH
  157. 7hjujnfds.exe
  158. 270c3859591599642bd15167765246e3
  159.  
  160. FICKER C2
  161. http://pospvisis.com
  162.  
  163. COBALT STRIKE STAGER DOWNLOAD URLS
  164. http://pirocont70l.ru/1207.bin
  165. http://pirocont70l.ru/1207s.bin
  166.  
  167. COBALT STRIKE STAGER FILE HASHES
  168. 1207.bin
  169. 26e559ca6e38cbafd20c1dd7484c2385
  170.  
  171. 1207s.bin
  172. ffd8acab871ffd27b08b6deb13bc363c
  173.  
  174. COBALT STRIKE BEACON DOWNLOAD URL
  175. http://92.119.157.74/8Qkh
  176.  
  177. COBALT STRIKE BEACON FILE HASH
  178. 8Qkh
  179. 261db9a2054262e6c18c07c7ddd42a95
  180.  
  181. COBALT STRIKE C2
  182. http://92.119.157.74/dot.gif
  183.  
  184. ADDITIONAL COBALT STRIKE URLS FROM STRINGS IN MEMORY
  185. https://92.119.157.74/Bsr5
  186. https://92.119.157.74/IE9CompatViewList.xml
  187.  
  188.  
  189. COBALT STRIKE BEACON CONFIG (from Didier Stevens' 1768 tool)
  190. File: 8Qkh
  191. xorkey(chain): 0x8aefd22e
  192. length: 0x00033400
  193. payloadType: 0x10014fc2
  194. payloadSize: 0x00000000
  195. intxorkey: 0x00000000
  196. id2: 0x00000000
  197. Config found: xorkey b'.' 0x00030220 0x00033400
  198. 0x0001 payload type 0x0001 0x0002 0 windows-beacon_http-reverse_http
  199. 0x0002 port 0x0001 0x0002 80
  200. 0x0003 sleeptime 0x0002 0x0004 60000
  201. 0x0004 maxgetsize 0x0002 0x0004 1048576
  202. 0x0005 jitter 0x0001 0x0002 0
  203. 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  204. 0x0008 server,get-uri 0x0003 0x0100 '92.119.157.74,/dot.gif'
  205. 0x0043 0x0001 0x0002 0
  206. 0x0044 0x0002 0x0004 4294967295
  207. 0x0045 0x0002 0x0004 4294967295
  208. 0x0046 0x0002 0x0004 4294967295
  209. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
  210. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
  211. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
  212. 0x001f CryptoScheme 0x0001 0x0002 0
  213. 0x001a get-verb 0x0003 0x0010 'GET'
  214. 0x001b post-verb 0x0003 0x0010 'POST'
  215. 0x001c HttpPostChunk 0x0002 0x0004 0
  216. 0x0025 license-id 0x0002 0x0004 0
  217. 0x0026 bStageCleanup 0x0001 0x0002 0
  218. 0x0027 bCFGCaution 0x0001 0x0002 0
  219. 0x0009 useragent 0x0003 0x0100 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)'
  220. 0x000a post-uri 0x0003 0x0040 '/submit.php'
  221. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
  222. 0x000c http_get_header 0x0003 0x0200
  223. b'Cookie'
  224. 0x000d http_post_header 0x0003 0x0200
  225. b'&Content-Type: application/octet-stream'
  226. b'id'
  227. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
  228. 0x0032 UsesCookies 0x0001 0x0002 1
  229. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
  230. 0x003a 0x0003 0x0080 '\x00\x04'
  231. 0x0039 0x0003 0x0080 '\x00\x04'
  232. 0x0037 0x0001 0x0002 0
  233. 0x0028 killdate 0x0002 0x0004 0
  234. 0x0029 textSectionEnd 0x0002 0x0004 0
  235. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  236. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  237. 0x002d process-inject-min_alloc 0x0002 0x0004 0
  238. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
  239. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
  240. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
  241. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
  242. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
  243.  
  244.  
  245.  
  246.  
  247.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!