Hancitor Ring Central Phish Sep 13, 2017

1. From: RingCentral <[email protected]>
2. Subject: ncoming RingCentral fax from Varies-Varies-Varies
3. Downloaded document name: fax_<6 digits>.doc
4. Document SHA-256: 1c72f575d0c9574afcfcaab7e0b89fe0083dbe8ac20c0132a978eb1f6be59641
5.  
6. Phishing URLs
7. http://cleanairacandheating.info/v.php?n=
8. http://cleanairacandheating.net/v.php?n=
9. http://cleanairacandheating.com/
10. http://lsgsettlements.net/v.php?n=
11. http://lsgsettlements.com/v.php?n=
12. http://fitnesskitchenlv.com/v.php?n=
13. http://myinternetsweepstakes.com/v.php?n=
14. http://comfortadvisorteams.com/v.php?n=
15. http://abcpromotions.net/v.php?n=
16. http://morninbreakcafe.com/v.php?n=
17. http://coronanorthern.com/v.php?n=
18.  
19. CNC URLs
20. http://cyfievengtont.com/ls5/forum.php
21. http://cyfievengtont.com/mlu/forum.php
22. http://cyfievengtont.com/d2/about.php
23. http://witcahinrab.ru/ls5/forum.php
24. http://dingletorsspar.ru/ls5/forum.php
25.  
26. Zloader
27. http://tonslysedding.ru/bdl/gate.php
28. http://botoldrithap.ru
29.  
30. Malware delivery link
31. File 1 SHA-256 1e22c81ec2c9b5223c857c1a67d67b7a3c1d9b6ed3ae3a8c97535faa8249a124
32. File 2 SHA-256 f4a5e304730183c86a35a18efae698da9e210377463a13d2620838db1470215e
33. File 3 SHA-256 e71917e8db4db42bfed3242765718125c12cc345e89d408ad70a4cdcb7f11eda
34. http://www.pennisonlawllc.com/wp-content/themes/twentysixteen/inc/3
35.  
36. IPs
37. 174.129.241.106
38. 31.41.45.17
39. 208.113.183.151
40. 185.81.113.162
41. 216.146.43.70
42. 171.25.193.77
43. 37.59.46.159
44. 46.165.230.5