2021-01-13 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. SUBJECTS OBSERVED
4. You got invoice from DocuSign Electronic Signature Service
5. You got invoice from DocuSign Signature Service
6. You received invoice from DocuSign Electronic Service
7. You received invoice from DocuSign Electronic Signature Service
8. You received invoice from DocuSign Signature Service
9. You received notification from DocuSign Service
10. You received notification from DocuSign Signature Service
11.  
12. SENDERS OBSERVED
13. [email protected]
14. [email protected]
15. [email protected]
16. [email protected]
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27.  
28. MALDOC LANDING PAGE URLS
29. https://docs.google.com/document/d/e/2PACX-1vQ8EUgCYQUcuVY4fZNgwVzjMGlIcxOQf-5OhE54XycV-2Vs9Nd5abHVZXofMbEmZ3Vr8zVmNEfSLOtd/pub
30. https://docs.google.com/document/d/e/2PACX-1vQe4D7rlOvnx3pL3XXm87rOWvpmukrXyVJ1Fnh07rlH7Vu2jMgWLwmEPbztpdkjWAHXbrKb6vpiRRqo/pub
31. https://docs.google.com/document/d/e/2PACX-1vQGusmKYoOLQpm8Dbmi-paVVrpSP7UhAnEhNlS_NNYVrhBiuDgW1-D6NA-Gus1-QaYYelw4_41uCgq1/pub
32. https://docs.google.com/document/d/e/2PACX-1vQl7TDIxzywd-W9yFy-VXkYQM3y5Eb72SSy0O-_XhkjdkWZbyBGNRYxYGim1NZADmKEoxYwAQT9MV2k/pub
33. https://docs.google.com/document/d/e/2PACX-1vQWA3SQhtV-paajGS633EiZHlwaNdVO_eK1NJh9LovGv_SqR9QmkTZfaEhgesubUYX8ebUihmjujRqe/pub
34. https://docs.google.com/document/d/e/2PACX-1vRGS2sKnARxGbg1WQ5qUOJiW4VcdJnIrurX-K4FlJQurdMeePTKm9K6nj0_H3o34APJ902YP3787s_2/pub
35. https://docs.google.com/document/d/e/2PACX-1vRwVD4yjiPNrt-zwI0STRj-Kat0_ucUuJWK7F6BRgzNWCYZOhvplIhmBMy75Sy40vXvpGfGywJJy96p/pub
36. https://docs.google.com/document/d/e/2PACX-1vSDgYXyRdkU2625gRdCBNuLIM95iyazc-ISMkeWdwspiDQWZNWkOlbAE3J7ErNT1XMu-_eDHqW4Fp0J/pub
37. https://docs.google.com/document/d/e/2PACX-1vSqh1YzQquq8H0PJ7OCmarXoPZXDMNflrMjHhM1rhrtmFTHUliQLGnav6ErR7UQh0E66cnABHU_2r2V/pub
38. https://docs.google.com/document/d/e/2PACX-1vSqhKib_f57vHVXCZsBm4lJ7oz0tPASRRfWtsrkc0sHhcpoz9j7xWYu-HZULYMdNoec5FSzxzbkNOg4/pub
39. https://docs.google.com/document/d/e/2PACX-1vT79QaECM7MfRaESNlNI_WzJe6Yv1baiRGVirBf2sMAZkMduUQF3SAQj_iosDZDhVwyrkBIxiwnu456/pub
40. https://docs.google.com/document/d/e/2PACX-1vTDxUKbJpQu8K04Oor6R2ntWJ8AeuNezsLo9wWoYNLVays6Fe8uaI9GBoM3vBS6HbQPdenmMdofsZWY/pub
41. https://docs.google.com/document/d/e/2PACX-1vTJYvV8ZulMINV6fQvrRmf7jlqPSf63Pek25lmUBqfJdw06vp1jbTjV-tVGnodsdXMIC6UjOfpCxO3h/pub
42.  
43. MALDOC DISTRIBUTION URLS
44. http://apdema.org.pe/greedy.php
45. http://bucharestbeerbike.ro.beerbikebucharest.ro/tangled.php
46. http://apdema.org.pe/bilevel.php
47. https://alphapower.systems/elephant.php
48. http://bucharestbeerbike.ro.beerbikebucharest.ro/jazz.php
49. http://artntainment.com/prodigy.php
50. https://social.powerpc.in/antebellum.php
51. https://thefuturepower.com/polestar.php
52. https://hotelsystem.co.id/undergarment.php
53. https://vallartaexpeditions.com/obstreperous.php
54. https://alphapower.systems/insensible.php
55. https://alphapower.systems/attraction.php
56. https://social.powerpc.in/curing.php
57.  
58. alphapower.systems
59. apdema.org.pe
60. artntainment.com
61. beerbikebucharest.ro
62. hotelsystem.co.id
63. powerpc.in
64. thefuturepower.com
65. vallartaexpeditions.com
66.  
67. HANCITOR MALDOC FILE HASHES
68. None
69.  
70. HANCITOR PAYLOAD FILE HASHES
71. None
72.  
73. HANCITOR DOWNLOAD URLS
74. None
75.  
76. HANCITOR C2
77. http://requirend.com/8/forum.php
78. http://spabyasiande.ru/8/forum.php
79. http://conlymorect.ru/8/forum.php
80.  
81. FICKER STEALER PAYLOAD URL
82. http://anabolicsteroidsbuy.info/nedfr.exe