2021-01-28 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR / FICKER
2.  
3. HANCITOR BUILD
4. BUILD=2801_09daf
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Service
8. You got notification from DocuSign Electronic Service
9. You got notification from DocuSign Electronic Signature Service
10. You received invoice from DocuSign Electronic Signature Service
11. You received notification from DocuSign Electronic Service
12. You received notification from DocuSign Service
13. You received notification from DocuSign Signature Service
14.  
15. SENDERS OBSERVED
16. c@snowbustersfargo.com
17. dofuym@snowbustersfargo.com
18. he@snowbustersfargo.com
19. kycail@snowbustersfargo.com
20. lapr@snowbustersfargo.com
21. madbj@snowbustersfargo.com
22. oiytatx@snowbustersfargo.com
23.  
24. MALDOC LANDING PAGES
25. https://docs.google.com/document/d/e/2PACX-1vQ-lN91_SACfF0oPulYudUp6Qkv0tEUMolWHSMVqnDTWv-kv1yT5gfubRp8geCvqbXtXc0ggAArXrc2/pub
26. https://docs.google.com/document/d/e/2PACX-1vQ2gMI6A9ehY8NClgQLDPYyZeiFgp2k2ZPd5Da4YE8rHfXJ1eD2UfJ1iIIGipJaG5QZqeJujs920Mzg/pub
27. https://docs.google.com/document/d/e/2PACX-1vQNAKLWXhYS33g9zJfQK18wwDLykslM0OxBhHyD1CpddWqh3LKlfYz52oe1DBRzi6t94PTE3GjQFL85/pub
28. https://docs.google.com/document/d/e/2PACX-1vQrIyxCgZd5Sp6zbautfnd01szq6AHB8PeREQnRVlhMDR-KFqVAnq_n358XZ7PhklpSi7h4rW9ujTi8/pub
29. https://docs.google.com/document/d/e/2PACX-1vRkHc2CfIgEnj6V6LOIM-u9lhQpiycQ4fmE_Wvu3wSfnaKx_61pYKxFU_RyHIg_QcG9JGjJWsu9x1_5/pub
30. https://docs.google.com/document/d/e/2PACX-1vSVHjDu83tKb_ktMaJ8YiwvJMwvJU0Po9kQbyyiWN9wZICw06SJcvakBGK_M8YUFYBQGtKAA1u2-lVg/pub
31. https://docs.google.com/document/d/e/2PACX-1vTLRzvv5jSc_fCdc1QvAJZKs3NyLrKYh1f0FlehNhFAF2e57m2jPhBEJ4PRLNCx9jY9kreWHZCt71ue/pub
32.  
33. MALDOC DOWNLOAD URLS
34. http://premierpt.co.uk/wp-includes/sodium_compat/src/Core32/ChaCha20/pylori.php
35. http://premierpt.co.uk/wp-includes/sodium_compat/src/Core32/ChaCha20/pylori.php
36. http://www.serve-tour.com/app/good.php
37. http://cariustadz.org/file_manager/thumbs/kelas-9/materi/bab-1-perpangkatan-bentuk-akar/mammy.php
38.  
39. cariustadz.org
40. premierpt.co.uk
41. serve-tour.com
42.  
43. MALDOC FILE HASHES
44. 0d5cb52d070f43da9997ca2de206492f
45. 49c03cf07481d6765fc1b96300db265b
46. b4953fcb0876191b9fecbef8a9b94def
47. c462a131264ab4b38da7495d646b1d15
48.  
49. HANCITOR PAYLOAD FILE HASHES
50. W0rd.dll
51. 592aa94f9d542209d632404ce1aca51d
52.  
53. HANCITOR C2
54. http://poresson.com /8/forum.php
55.  
56. FICKER STEALER DOWNLOAD URLS
57. try-dent.net/6gdwwv.exe
58.  
59. FICKER STEALER FILE HASH
60. 6gdwwv.exe
61. 77be0dd6570301acac3634801676b5d7