2021-07-14 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=1407_bdgtq
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You received invoice from DocuSign Electronic Service
14. You received invoice from DocuSign Service
15. You received invoice from DocuSign Signature Service
16. You received notification from DocuSign Electronic Signature Service
17. You received notification from DocuSign Signature Service
18.  
19. SENDERS OBSERVED
20. bwyvaec@dedoho.com
21. cectyv@dedoho.com
22. cicmu@dedoho.com
23. guu@dedoho.com
24. humoz@dedoho.com
25. hyji@dedoho.com
26. i@dedoho.com
27. jkeauvi@dedoho.com
28. jmdt@dedoho.com
29. midel@dedoho.com
30. nekdvih@dedoho.com
31. nitalli@dedoho.com
32. nqydmaw@dedoho.com
33. oemmavb@dedoho.com
34. opsuryv@dedoho.com
35. tinxy@dedoho.com
36. tis@dedoho.com
37. uf@dedoho.com
38. uwcrcry@dedoho.com
39. vy@dedoho.com
40.  
41. MALDOC PROXY DISTRIBUTION URLS
42. http://feedproxy.google.com/~r/aawwrfpiyju/~3/rQ2eNjsIPD4/peritonitic.php
43. http://feedproxy.google.com/~r/augbusv/~3/XzFbW9_QfPk/apetizer.php
44. http://feedproxy.google.com/~r/bhascjx/~3/sWg2mC0LYlI/accordant.php
45. http://feedproxy.google.com/~r/blkivy/~3/gxJDvfFi_EE/pellagrous.php
46. http://feedproxy.google.com/~r/dqzwmrbgyz/~3/EPsPm6mXk2A/fiche.php
47. http://feedproxy.google.com/~r/ggrfukmx/~3/D4RY9qnpAA8/irishman.php
48. http://feedproxy.google.com/~r/gudfzig/~3/dWwVv2qZOaY/nostalgic.php
49. http://feedproxy.google.com/~r/iqyonmqay/~3/6u2eI3b-4Rc/substantially.php
50. http://feedproxy.google.com/~r/jwqat/~3/ZNm-Kz9PQuM/woodenness.php
51. http://feedproxy.google.com/~r/kunzisc/~3/LXmuChmfi2Q/allured.php
52. http://feedproxy.google.com/~r/ldvqeuiw/~3/_jcg3wfbPTw/proofread.php
53. http://feedproxy.google.com/~r/pjzokrkuuvg/~3/-029Oi4fUAU/union.php
54. http://feedproxy.google.com/~r/qicwamb/~3/YIqL4GD4B0I/disembarkation.php
55. http://feedproxy.google.com/~r/uaoumyq/~3/Wyc7fLZ46JI/indenting.php
56. http://feedproxy.google.com/~r/umjsnqzidmv/~3/gTFbO3Uzr9A/local.php
57. http://feedproxy.google.com/~r/wyfexrqdq/~3/_jcg3wfbPTw/proofread.php
58.  
59. MALDOC REDIRECT DOWNLOAD URLS
60. http://acrilicoporto.pt/fiche.php
61. http://acrilicoporto.pt/indenting.php
62. http://acrilicoporto.pt/union.php
63. http://aracil24horas.com/proofread.php
64. http://criticalcare.virologyconnect.org/peritonitic.php
65. http://criticalcare.virologyconnect.org/woodenness.php
66. http://likizoa-tac.jornadatrabalho.com.br/pellagrous.php
67. http://likizoa-tac.jornadatrabalho.com.br/substantially.php
68. http://likizoa-werner.jornadatrabalho.com.br/irishman.php
69. http://loan-saathi.in/allured.php
70. http://vulkanvegasbonus.ucargiyim.com/accordant.php
71. http://vulkanvegasbonus.ucargiyim.com/apetizer.php
72. https://greenfrites.com/nostalgic.php
73. https://portal.controleautomacao.com.br/disembarkation.php
74. https://vigerdis.com/local.php
75.  
76. acrilicoporto.pt
77. aracil24horas.com
78. controleautomacao.com.br
79. greenfrites.com
80. jornadatrabalho.com.br
81. loan-saathi.in
82. ucargiyim.com
83. vigerdis.com
84. virologyconnect.org
85.  
86. MALDOC FILE HASHES
87. 291447db25c1e9f1bf9fb5f87d213bc6
88. cf134f6c0f3d5573f59ea46810d782e4
89.  
90. HANCITOR PAYLOAD FILE HASH
91. ier.dll
92. 33c5b39189125bc821585ff4769cd1b7
93.  
94. HANCITOR C2
95. http://metweveer.ru/8/forum.php
96. http://omermancto.ru/8/forum.php
97. http://wortlybeentax.com/8/forum.php
98.  
99. FICKER STEALER DOWNLOAD URL
100. http://4a5ikol.ru/7jkio8943wk.exe
101.  
102. FICKER STEALER FILE HASH
103. 7jkio8943wk.exe
104. 270c3859591599642bd15167765246e3
105.  
106. FICKER STEALER C2
107. http://pospvisis.com
108.  
109. COBALT STRIKE STAGER DOWNLOAD URLS
110. http://4a5ikol.ru/1407.bin
111. http://4a5ikol.ru/1407s.bin
112.  
113. COBALT STRIKE STAGER FILE HASHES
114. 1407.bin
115. ee8283d406475b5015fe3faca2896b2d
116.  
117. 1407s.bin
118. 80c225a95caba77a72289472c73291df
119.  
120. COBALT STRIKE BEACON DOWNLOAD URL
121. http://207.148.23.64/Rcn9
122.  
123. COBALT STRIKE BEACON FILE HASH
124. Rcn9
125. 2ce9fd855d3fd4316c7d46d28d183c16
126.  
127. COBALT STRIKE C2
128. http://207.148.23.64/ptj
129.  
130. ADDITIONAL COBALT STRIKE URLS FROM STRINGS IN MEMORY
131. https://207.148.23.64/vfM3
132. https://207.148.23.64/fwlink
133.  
134. COBALT STRIKE CONFIGURATION (from Didier Stevens 1768 Python script)
135. File: Rcn9
136. xorkey(chain): 0x3cb3a258
137. length: 0x00033400
138. payloadType: 0x10014fc2
139. payloadSize: 0x00000000
140. intxorkey: 0x00000000
141. id2: 0x00000000
142. Config found: xorkey b'.' 0x00030220 0x00033400
143. 0x0001 payload type 0x0001 0x0002 0 windows-beacon_http-reverse_http
144. 0x0002 port 0x0001 0x0002 80
145. 0x0003 sleeptime 0x0002 0x0004 60000
146. 0x0004 maxgetsize 0x0002 0x0004 1048576
147. 0x0005 jitter 0x0001 0x0002 0
148. 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
149. 0x0008 server,get-uri 0x0003 0x0100 '207.148.23.64,/ptj'
150. 0x0043 0x0001 0x0002 0
151. 0x0044 0x0002 0x0004 4294967295
152. 0x0045 0x0002 0x0004 4294967295
153. 0x0046 0x0002 0x0004 4294967295
154. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
155. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
156. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
157. 0x001f CryptoScheme 0x0001 0x0002 0
158. 0x001a get-verb 0x0003 0x0010 'GET'
159. 0x001b post-verb 0x0003 0x0010 'POST'
160. 0x001c HttpPostChunk 0x0002 0x0004 0
161. 0x0025 license-id 0x0002 0x0004 0
162. 0x0026 bStageCleanup 0x0001 0x0002 0
163. 0x0027 bCFGCaution 0x0001 0x0002 0
164. 0x0009 useragent 0x0003 0x0100 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)'
165. 0x000a post-uri 0x0003 0x0040 '/submit.php'
166. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
167. 0x000c http_get_header 0x0003 0x0200
168. b'Cookie'
169. 0x000d http_post_header 0x0003 0x0200
170. b'&Content-Type: application/octet-stream'
171. b'id'
172. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
173. 0x0032 UsesCookies 0x0001 0x0002 1
174. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
175. 0x003a 0x0003 0x0080 '\x00\x04'
176. 0x0039 0x0003 0x0080 '\x00\x04'
177. 0x0037 0x0001 0x0002 0
178. 0x0028 killdate 0x0002 0x0004 0
179. 0x0029 textSectionEnd 0x0002 0x0004 0
180. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
181. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
182. 0x002d process-inject-min_alloc 0x0002 0x0004 0
183. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
184. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
185. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
186. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
187. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
188. 0x0000
189.  
190.