2021-01-27 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. SUBJECTS OBSERVED
4. You got invoice from DocuSign Electronic Signature Service
5. You got notification from DocuSign Electronic Service
6. You got notification from DocuSign Electronic Signature Service
7. You received invoice from DocuSign Service
8. You received notification from DocuSign Electronic Signature Service
9.  
10. SENDERS OBSERVED
11. e@alumaicelodge.com
12. feaiy@alumaicelodge.com
13. huuto@alumaicelodge.com
14. lyxu@alumaicelodge.com
15. nu@alumaicelodge.com
16. qaliwuf@alumaicelodge.com
17. rbzi@alumaicelodge.com
18.  
19. MALDOC LANDING PAGES
20. https://docs.google.com/document/d/e/2PACX-1vQAPaf5GP5TqHxyH3LirSGq68FofUGcLrTZxskvpE4S4fHnLfms7_MI8vRT-h7_ijoQi1jdA6WJrwMh/pub
21. https://docs.google.com/document/d/e/2PACX-1vRB-vPxeoo83hisqBqzAUS1CaDFUtKFvDoUXJEmh5o0Bd0rUwnyLhLnVpbVqEYK9kDjj-pHPbYMkEn_/pub
22. https://docs.google.com/document/d/e/2PACX-1vRP9o7MKCwbfJwTT2GD7V2EWf6MmnrnSYN543ZZ0U_PrjeUE0aGKmapkjHahAZkK4m4Rgt4ehZuOLVc/pub
23. https://docs.google.com/document/d/e/2PACX-1vRSy0w-d8rcWt1fB8WGohvAbLGLnvQMqjxdd3zI48JxWoyWIEVHJhhSiS53zaNKunwoae6subC91lDj/pub
24. https://docs.google.com/document/d/e/2PACX-1vSb6c89wP9YbQcmBLKAk7cKYW3auiXpCSrooEMO_0Vzn9cVA2bYHq8MPLlvYSqTwJrh5FVEzJ7CJRAx/pub
25. https://docs.google.com/document/d/e/2PACX-1vT5fHR7p2pvCI4fCD-di6upgqf797NPPPve_Nn1KUSiDgiZqRi6DE2598mONIq4tyReSyFY5CvtWgj6/pub
26. https://docs.google.com/document/d/e/2PACX-1vTq4dyde5AFe3jCeIDvY72RKzP2bX9aLn2IL2FnQ9hhkWlqu0nvcTKD30DY7FQkTNzS7NQ-qLxQp8lF/pub
27.  
28. MALDOC DOWNLOAD URLS
29. http://ajlpublicidade.pt/js/jquery/plugins/alerts/images/quantification.php
30. http://cariustadz.org/file_manager/thumbs/kelas-9/materi/bab-1-perpangkatan-bentuk-akar/chapter.php
31. http://libimprov.com/wp-content/plugins/thim-core/templates/dashboard/weighmaster.php
32. http://premierpt.co.uk/wp-includes/sodium_compat/src/Core32/ChaCha20/phantasm.php
33. http://premierpt.co.uk/wp-includes/sodium_compat/src/Core32/ChaCha20/subsequence.php
34. http://rollpaper.hu/wpadmin/wp-content/themes/i-craft/css/proabortion.php
35. https://broadgr.com/wp-content/plugins/woocommerce-conversion-tracking/includes/integrations/cloy.php
36.  
37. ajlpublicidade.pt
38. broadgr.com
39. cariustadz.org
40. libimprov.com
41. premierpt.co.uk
42. rollpaper.hu
43.  
44. MALDOC FILE HASHES
45. N/A
46.  
47. HANCITOR PAYLOAD FILE HASHES
48. N/A
49.  
50. HANCITOR C2
51. http://sicantort.com/8/forum.php
52. http://theirrissublu.ru/8/forum.php
53. http://woulauserpect.ru/8/forum.php
54.  
55. HANCITOR BUILD
56. Build: 2701_98tip