2021-01-26 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. HANCITOR BUILD
4. Build: 2601_ven87
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Service
9. You got notification from DocuSign Electronic Service
10. You got notification from DocuSign Electronic Signature Service
11. You got notification from DocuSign Service
12. You received invoice from DocuSign Electronic Signature Service
13. You received invoice from DocuSign Service
14. You received invoice from DocuSign Signature Service
15.  
16. SENDERS OBSERVED
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29.  
30. MALDOC LANDING PAGES
31. https://docs.google.com/document/d/e/2PACX-1vQb9kTLGGlIhF9tzzyqHN0LGSETsH5skWAj_eQdl1S9pA1mrROAKXJuwp_Bu16tBT6l55taVOirdPi7/pub
32. https://docs.google.com/document/d/e/2PACX-1vQeZ_Bb-DkvdOvCS42umsZzDI-cMx-H4SzTXUk7uPbzk2TdoxZ2DczEhvinch48BuSfR1Z4hJbAYKa5/pub
33. https://docs.google.com/document/d/e/2PACX-1vQWIZOS9oRoaU_xZn0e_IFZ9rbigHPU4Sye0SbMgbrz4O8CRmcL-8yWatPRZEmEadmyp_5Jj82Az16N/pub
34. https://docs.google.com/document/d/e/2PACX-1vRbrQ9ZigCB6_f2tzhDUYC67rOlI2IzVvnajb7tXttEckGpOp7t8BIfNXJzWjsE8m7tlrzgAGyvYwGs/pub
35. https://docs.google.com/document/d/e/2PACX-1vROTXXx5L63qCLmICk8KniCwRkWpu8T3fi5Z_mE1GAPe7dunslEG0kkxpfWUQTNOQygNfA-J5R8orWX/pub
36. https://docs.google.com/document/d/e/2PACX-1vRTHUELErftSm6lh6iXgsE78jFtcF0KqXmJLUMckOkmiuidG48-r0SRKPABGA7TDrB5xpO_rXSNMZxm/pub
37. https://docs.google.com/document/d/e/2PACX-1vSIme9CaLvq2CDIra8KZe86vVo5vLTeodlASmbPfUuvdbTaQGjbAF2NYIm_KjdCtvMsAeUh5oIldYmM/pub
38. https://docs.google.com/document/d/e/2PACX-1vSn8CaWkcszp6yO6qQftphWqW3RQCD1KlY9DzRmKtNYZFHtc2h1El2tfvQc3hkgaL_QOY2XiEk2UniM/pub
39. https://docs.google.com/document/d/e/2PACX-1vSQqKAlKN__ndBF2SBBWB1_GWOSQjwYw7r3KvzQB7ZhPLTr1Oz6W9bd8bjP1ClPkWUag6qu-0Kxdw1m/pub
40. https://docs.google.com/document/d/e/2PACX-1vTTzvvOixhA0pBXubkEPT8d3FPp5LEqdS4olINuO579aiqVbrhFRKe-RU4F_w_A13mOXjr1ASipUfAq/pub
41. https://docs.google.com/document/d/e/2PACX-1vTZB9KTJD7y3vDxdB214lU8QUHm8yCnnoZQZ0N1Jwm0RjGXjR96c1jCHrV4jG52LjP1_BqwShgLsxbj/pub
42.  
43. MALDOC DOWNLOAD URLS
44. http://cariustadz.org/file_manager/thumbs/kelas-9/materi/bab-1-perpangkatan-bentuk-akar/agate.php
45. http://cariustadz.org/file_manager/thumbs/kelas-9/materi/bab-1-perpangkatan-bentuk-akar/pontiff.php
46. http://libimprov.com/wp-content/plugins/thim-core/templates/dashboard/prophesying.php
47. http://premierpt.co.uk/wp-includes/sodium_compat/src/Core32/ChaCha20/baton.php
48. http://premierpt.co.uk/wp-includes/sodium_compat/src/Core32/ChaCha20/victorianism.php
49. http://rollpaper.hu/wpadmin/wp-content/themes/i-craft/css/wynd.php
50. https://broadgr.com/wp-content/plugins/woocommerce-conversion-tracking/includes/integrations/pundit.php
51. https://en.gooddrink.com.tr/wp-content/plugins/revslider/views/system/aligns.php
52. https://en.gooddrink.com.tr/wp-content/plugins/revslider/views/system/bathrobe.php
53. https://muchoruidoacademy.com/site/cryptic.php
54. https://muchoruidoacademy.com/site/dromedary.php
55.  
56. broadgr.com
57. cariustadz.org
58. gooddrink.com.tr
59. libimprov.com
60. muchoruidoacademy.com
61. premierpt.co.uk
62. rollpaper.hu
63.  
64. MALDOC FILE HASHES
65. N/A
66.  
67. HANCITOR PAYLOAD FILE HASHES
68. N/A
69.  
70. HANCITOR C2
71. http://locroplenes.ru/8/forum.php
72. http://iderfeirel[.]com/8/forum.php
73. http://locroplenes[.]ru/8/forum.php
74. http://surpopene[.]ru/8/forum.php
75.  
76.