API tools faq
paste
ExecuteMalware

2021-03-18 Hancitor IOCs

ExecuteMalware
Mar 18th, 2021 (edited)
5,370
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.78 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: HANCITOR
  2.  
  3. SUBJECTS OBSERVED
  4. You got invoice from DocuSign Electronic Service
  5. You got invoice from DocuSign Service
  6. You got notification from DocuSign Electronic Service
  7. You got notification from DocuSign Electronic Signature Service
  8. You got notification from DocuSign Service
  9. You got notification from DocuSign Signature Service
  10. You received invoice from DocuSign Electronic Service
  11. You received invoice from DocuSign Electronic Signature Service
  12. You received invoice from DocuSign Service
  13. You received invoice from DocuSign Signature Service
  14. You received notification from DocuSign Electronic Service
  15. You received notification from DocuSign Electronic Signature Service
  16. You received notification from DocuSign Service
  17. You received notification from DocuSign Signature Service
  18.  
  19. SENDERS OBSERVED
  20. [email protected]
  21. [email protected]
  22. [email protected]
  23. [email protected]
  24. [email protected]
  25. [email protected]
  26. [email protected]
  27. [email protected]
  28. [email protected]
  29. [email protected]
  30. [email protected]
  31. [email protected]
  32. [email protected]
  33. [email protected]
  34. [email protected]
  35. [email protected]
  36. [email protected]
  37. [email protected]
  38. [email protected]
  39. [email protected]
  40. [email protected]
  41. [email protected]
  42. [email protected]
  43. [email protected]
  44. [email protected]
  45. [email protected]
  46. [email protected]
  47.  
  48. MALDOC REDIRECT URLS
  49. https://www.google.com/url?q=http://alwayscomply.com/sites/default/modules/cck/translations/help/de/dip.php&source=gmail&ust=1616148253953000&usg=AFQjCNG91xuWh7Lq9xWZjbVKfeaODM47ZQ
  50. https://www.google.com/url?q=http://alwayscomply.com/sites/default/modules/cck/translations/help/de/impinge.php&source=gmail&ust=1616148253953000&usg=AFQjCNGd4y2Wcog2N19amMynsC_9AKM0Qg
  51. https://www.google.com/url?q=http://archive-admin.museubandasfilarmonicas.pt/assets/plugins/jquery-file-upload/server/php/files/austria.php&source=gmail&ust=1616148253954000&usg=%0D%0AAFQjCNHB_VH8sITckq8j_an_QD0H7bFMFQ
  52. https://www.google.com/url?q=http://archive-admin.museubandasfilarmonicas.pt/assets/plugins/jquery-file-upload/server/php/files/austria.php&source=gmail&ust=1616148253954000&usg=AFQjCNHB_VH8sITckq8j_an_QD0H7bFMFQ
  53. https://www.google.com/url?q=http://tao.arnoldinum.cloud/qtiItemPci/views/js/pciCreator/paten.php&source=gmail&ust=1616148253953000&usg=AFQjCNG3BmLzQyaMvZQyALCmO2n9MN4v3g
  54. https://www.google.com/url?q=http://tao.arnoldinum.cloud/qtiItemPci/views/js/pciCreator/trackman.php&source=gmail&ust=1616148253954000&usg=AFQjCNGI0rHP-w2onvzXvv_YC1KQe8NR6A
  55. https://www.google.com/url?q=https://alaseeldates.com/predispose.php&source=gmail&ust=1616148253954000&usg=AFQjCNHhru9FX4ASRSMGZKl1hn-x276YTA
  56. https://www.google.com/url?q=https://alaseeldates.com/snoozer.php&source=gmail&ust=1616148253953000&usg=AFQjCNHcfcedHHOyhqZamM-UV4slpRki5g
  57. https://www.google.com/url?q=https://aprilstudios.in/appropriate.php&source=gmail&ust=1616148253954000&usg=AFQjCNF-SRFZeIucjKC74M8ANtMaU8z3Hw
  58. https://www.google.com/url?q=https://aprilstudios.in/oz.php&source=gmail&ust=1616148253953000&usg=AFQjCNEZSwhqIHCN3Q2tbb-pQjseTnqTOQ
  59. https://www.google.com/url?q=https://aprilstudios.in/transverter.php&source=gmail&ust=1616148253954000&usg=AFQjCNFjlYKzOuoW2OnGXSwNThjqEXhx-g
  60. https://www.google.com/url?q=https://chamkoon.com/secund.php&source=gmail&ust=1616148253954000&usg=AFQjCNE7FNF5pQjCAW8JVDK9bmP0v5-vOw
  61. https://www.google.com/url?q=https://chamkoon.com/wrongness.php&source=gmail&ust=1616148253954000&usg=AFQjCNGDINAExVrk6errRs7HysLxHq5enA
  62. https://www.google.com/url?q=https://cluebazar.com/upstairs.php&source=gmail&ust=1616148253954000&usg=AFQjCNEBJLi_vsN1IZLzqjISwLJd4QCycw
  63. https://www.google.com/url?q=https://emiratesminning.com/refers.php&source=gmail&ust=1616148253952000&usg=AFQjCNGwmq4JG0a5nHvtM-DsfyT6g8WZRQ
  64. https://www.google.com/url?q=https://livenetworks.com.br/sakhalin.php&source=gmail&ust=1616148253953000&usg=AFQjCNGWyvivCM6mNTntohyPUmMp-UC2DQ
  65. https://www.google.com/url?q=https://locequipamentosbh.com.br/dissenting.php&source=gmail&ust=1616148253953000&usg=AFQjCNFAfNrwGvOqamAovRPSNCciZ1CLXg
  66. https://www.google.com/url?q=https://locequipamentosbh.com.br/dowager.php&source=gmail&ust=1616148253954000&usg=AFQjCNHgppXUdFMfg10tIzapFl5VAGyGRw
  67. https://www.google.com/url?q=https://locequipamentosbh.com.br/theomorphic.php&source=gmail&ust=1616148253954000&usg=AFQjCNGbJM1e4y2LlqKFyp4yj5EnC4CyfQ
  68. https://www.google.com/url?q=https://m7a.rgstage.com/brazier.php&source=gmail&ust=1616148253953000&usg=AFQjCNGdIpVlW0g5550PUTVUk7FeaInZCQ
  69. https://www.google.com/url?q=https://m7a.rgstage.com/monologue.php&source=gmail&ust=1616148253953000&usg=AFQjCNGb7yJpEnbiu-f4lpeQtBv0a6lLOw
  70. https://www.google.com/url?q=https://mail.daunhotmiendong.vn/controvertible.php&source=gmail&ust=1616148253954000&usg=AFQjCNGgyf7Tf7u9dTtvttkKCvgBTpg_zw
  71. https://www.google.com/url?q=https://mail.daunhotmiendong.vn/pusillanimous.php&source=gmail&ust=1616148253954000&usg=AFQjCNE3qPBnoC1pjGi6JlYCdqi98zm3kw
  72. https://www.google.com/url?q=https://orsan.gruporhynous.com/speed.php&source=gmail&ust=1616148253954000&usg=AFQjCNGaQvSL_y_uSRgnP3FcvXEJ-zSEmw
  73. https://www.google.com/url?q=https://webworks.nepila.com/crazed.php&source=gmail&ust=1616148253954000&usg=AFQjCNGGuc0hcxNbunmm4YHXQXwIIQ8DYA
  74. https://www.google.com/url?q=https://webworks.nepila.com/defector.php&source=gmail&ust=1616148253954000&usg=AFQjCNFYvfyuwM9fHk8UacywoyeTz6n1aA
  75.  
  76. MALDOC DISTRIBUTION URLS
  77. http://alwayscomply.com/sites/default/modules/cck/translations/help/de/dip.php
  78. http://alwayscomply.com/sites/default/modules/cck/translations/help/de/impinge.php
  79. http://archive-admin.museubandasfilarmonicas.pt/assets/plugins/jquery-file-upload/server/php/files/austria.php
  80. http://tao.arnoldinum.cloud/qtiItemPci/views/js/pciCreator/paten.php
  81. http://tao.arnoldinum.cloud/qtiItemPci/views/js/pciCreator/trackman.php
  82. https://alaseeldates.com/predispose.php
  83. https://alaseeldates.com/snoozer.php
  84. https://aprilstudios.in/appropriate.php
  85. https://aprilstudios.in/oz.php
  86. https://aprilstudios.in/transverter.php
  87. https://chamkoon.com/secund.php
  88. https://chamkoon.com/wrongness.php
  89. https://cluebazar.com/upstairs.php
  90. https://emiratesminning.com/refers.php
  91. https://livenetworks.com.br/sakhalin.php
  92. https://locequipamentosbh.com.br/dissenting.php
  93. https://locequipamentosbh.com.br/dowager.php
  94. https://locequipamentosbh.com.br/theomorphic.php
  95. https://m7a.rgstage.com/brazier.php
  96. https://m7a.rgstage.com/monologue.php
  97. https://mail.daunhotmiendong.vn/controvertible.php
  98. https://mail.daunhotmiendong.vn/pusillanimous.php
  99. https://orsan.gruporhynous.com/speed.php
  100. https://webworks.nepila.com/crazed.php
  101. https://webworks.nepila.com/defector.php
  102.  
  103. alaseeldates.com
  104. alwayscomply.com
  105. aprilstudios.in
  106. arnoldinum.cloud
  107. chamkoon.com
  108. cluebazar.com
  109. daunhotmiendong.vn
  110. emiratesminning.com
  111. gruporhynous.com
  112. livenetworks.com.br
  113. locequipamentosbh.com.br
  114. museubandasfilarmonicas.pt
  115. nepila.com
  116. rgstage.com
  117.  
  118. HANCITOR MALDOC FILE HASHES
  119. 0ddee5b7da65f3a801677a9187c92d35
  120. 30e8467c27864508ee01fa82f719849c
  121. 504afcedfccc2caf7e2bd9a440bbe566
  122. 534350c5741aa2175ca54f219ab7d905
  123. 69022fe73ea471e0a9e0af364a023cc2
  124. 709a14419d84ac5e0d8a95071008cce1
  125. 7fee47f618c0c7f18488ca357f3b26df
  126. 9bb98f4388cb39e11c17e825ffca2b84
  127. b17e33adf9f089bafe33c65c5f446287
  128. c355368d0f5ff410851ab8900da7098c
  129. df5bc23f39f5bc0926cdbed514712ed6
  130.  
  131. HANCITOR PAYLOAD FILE HASH
  132. Static.dll
  133. be81b6f1ce7a7673c1c549064de73430
  134.  
  135. HANCITOR C2
  136. http://froursmonesed.com/8/forum.php
  137. http://abouniteta.ru/8/forum.php
  138.  
  139. FICKER STEALER PAYLOAD URLS
  140. http://pirijinko.ru/6jkiuwf43.exe
  141.  
  142. FICKER STEALER FILE HASH
  143. 6jkiuwf43.exe
  144. 77be0dd6570301acac3634801676b5d7
  145.  
  146. FICKER STEALER C2
  147. http://sweyblidian.com
  148.  
  149. COBALT STRIKE FILE HASHES
  150. 1703.bin
  151. c9a34a84b8be1d3b4f84fc50bd1ac80a
  152.  
  153. 1703s.bin
  154. 339db7ec6f43de6df9109f13b17842b6
  155.  
  156. I also found these on the same domain
  157. 1102.bin
  158. 75dd171de48fb65c9ff07e937b473ced
  159.  
  160. 1102s.bin
  161. 68552585411cf40c9c7f5cda18840bd7
  162.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!