2020-12-16 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. HANCITOR BUILD
4. BUILD=1612_ui478sd
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Signature Service
10. You received invoice from DocuSign Electronic Service
11. You received invoice from DocuSign Signature Service
12. You received notification from DocuSign Electronic Signature Service
13. You received notification from DocuSign Service
14.  
15. SENDERS OBSERVED
16. [email protected]
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25.  
26. MALDOC LANDING PAGE URLS
27. https://docs.google.com/document/d/e/2PACX-1vQvltdnTwXQpa43unbk09fLhx2qvNsqRAwYqLgOsvSpnqrYc8s52xziqIcrd_ZwU2BwmCvAsvS1klBf/pub
28. https://docs.google.com/document/d/e/2PACX-1vRhdZFB7W6p8BJRFhAZKGMLrkA9oE4LesVrhJpdQFQZozlFzhxzhkoD8o4x6vI17zIft4Rm_NablpqS/pub
29. https://docs.google.com/document/d/e/2PACX-1vSaC3-RRB91ArSXFvAgCPQp0eKUUTQulqioVUeaNAtSTACS7Z4qNWzTCOO9WvQ6e243mKa6Ht_uF41o/pub
30. https://docs.google.com/document/d/e/2PACX-1vSKG2EoqPQDkiKAEZX6vsoVtSIhu7XcxAc-yZLvhKLeYvrwYco7wtZa33rhCNczl2Oagt8izzSq92gg/pub
31. https://docs.google.com/document/d/e/2PACX-1vSNZv_8eN9eJ1Fd8Gt4NVXcx_FKaZemPGX1KQGFA--e7ZOdSIe-gN6Z6gKkV44IqfPrhOKYAR7FA007/pub
32. https://docs.google.com/document/d/e/2PACX-1vSRVoEZobVqPq9-C_elnTAPfr7LIpb7hU7eIdY7O6kuNb2a3490bAL2aC6sc2wcQTN8ZiyCtDVpMK7j/pub
33. https://docs.google.com/document/d/e/2PACX-1vTdKGF2fOwGGpHfMgzbDyUgE16f47acbpoJsjUsixNPAFfkB9hTdo6UbNIT0TwGK4Ry3yN2f-zRYCdS/pub
34. https://docs.google.com/document/d/e/2PACX-1vTma9FuweH1814rZ4ooU1TgDSo2S-MtHKtb5wZ8E6ZS8Pnqq4bDRBqVrolzjvrIPZ2pJuyYemGUPkOR/pub
35.  
36. MALDOC DISTRIBUTION URLS
37. https://bmmm.in/conversely.php
38. https://bmmm.in/serviceability.php
39. https://demo.24onlinenewspaper.com/despicably.php
40.  
41. 24onlinenewspaper.com
42. bmmm.in
43.  
44. MALDOC FILE HASHES
45. 1216_3896101931.doc
46. 2350c157408b69cc5b88bec7e1824d61
47.  
48. 1216_114086062.doc
49. 2b47bfbef6f4080a7a44cc89bf481331
50.  
51. 1216_77796024.doc
52. 63abbcbfc103e00d860e340bbccaea64
53.  
54. 1216_372977361.doc
55. 7270cc86be7b3265386f5e6dc841fc16
56.  
57. 1216_130942272.doc
58. 992a0a152bbd65877f68856772b37aa2
59.  
60. 1216_1079750132.doc
61. d60af09913c8efe15cbf008d72ca5f72
62.  
63. HANCITOR PAYLOAD FILE HASHES
64. W0rd.dll
65. d404861f4a274c4cf780d6ae0e237e51
66.  
67. 1216_77796024.doc_ya.wav
68. 8b820d43f60282e0f06af42723376fac
69.  
70. W0rd.dll
71. ee9ac4b07ac689002716940ec5ea38d0
72.  
73. 1216_1079750132.doc_ya.wav
74. d211ac7d70d9e9f6088f7b62ab032d35
75.  
76. HANCITOR C2
77. http://bicescuryseu.ru/8/forum.php
78. http://ulaginceter.com/8/forum.php
79. http://meordsovellia.ru/8/forum.php
80.  
81. bicescuryseu.ru
82. meordsovellia.ru
83. ulaginceter.com
84.  
85.