2021-05-20 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=2005_mesbn
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Signature Service
9. You got notification from DocuSign Service
10. You received invoice from DocuSign Electronic Service
11. You received invoice from DocuSign Electronic Signature Service
12. You received invoice from DocuSign Signature Service
13. You received notification from DocuSign Service
14. You received notification from DocuSign Signature Service
15.  
16. SENDERS OBSERVED
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27.  
28. MALDOC LANDING PAGE URLS
29. https://docs.google.com/document/d/e/2PACX-1vQdgtNuLxD48C4JhUaesn_ZFgAFsZ_EJaSCBpbDItEYzNdf_SAu2s6gLNjPBqRXnBDNKwmyA4Y3THsW/pub
30. https://docs.google.com/document/d/e/2PACX-1vQk5kwI89J1WNz2CiNd_oADJyY29FmwknX_ZHCyAzK5KQ2wn4p2H1wAvy9kS2mi54-62KRxrox-iFrF/pub
31.  
32. MALDOC DISTRIBUTION URLS
33. https://skillsit.com.br/centrality.php
34.  
35. HANCITOR MALDOC FILE HASHES
36. 24047349658d77867ee29c89735655a0
37.  
38. HANCITOR PAYLOAD FILE HASH
39. rem.r
40. 705864ea2d02aa4e6d66f673fac35fe9
41.  
42. HANCITOR C2
43. http://vaethemanic.com/8/forum.php
44. http://tembovewinated.ru/8/forum.php
45. http://prournauseent.ru/8/forum.php
46.  
47. FICKER STEALER PAYLOAD URL
48. http://q09pi7.ru/6jkio9ukds.exe
49.  
50. FICKER STEALER FILE HASH
51. 6jkio9ukds.exe
52. 77be0dd6570301acac3634801676b5d7
53.  
54. FICKER STEALER C2
55. http://sweyblidian.com