Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
- HANCITOR BUILD NUMBER
- BUILD=1407_bdgtq
- SUBJECTS OBSERVED
- You got invoice from DocuSign Electronic Service
- You got invoice from DocuSign Electronic Signature Service
- You got invoice from DocuSign Service
- You got invoice from DocuSign Signature Service
- You got notification from DocuSign Electronic Service
- You got notification from DocuSign Electronic Signature Service
- You received invoice from DocuSign Electronic Service
- You received invoice from DocuSign Service
- You received invoice from DocuSign Signature Service
- You received notification from DocuSign Electronic Signature Service
- You received notification from DocuSign Signature Service
- SENDERS OBSERVED
- bwyvaec@dedoho.com
- cectyv@dedoho.com
- cicmu@dedoho.com
- guu@dedoho.com
- humoz@dedoho.com
- hyji@dedoho.com
- i@dedoho.com
- jkeauvi@dedoho.com
- jmdt@dedoho.com
- midel@dedoho.com
- nekdvih@dedoho.com
- nitalli@dedoho.com
- nqydmaw@dedoho.com
- oemmavb@dedoho.com
- opsuryv@dedoho.com
- tinxy@dedoho.com
- tis@dedoho.com
- uf@dedoho.com
- uwcrcry@dedoho.com
- vy@dedoho.com
- MALDOC PROXY DISTRIBUTION URLS
- http://feedproxy.google.com/~r/aawwrfpiyju/~3/rQ2eNjsIPD4/peritonitic.php
- http://feedproxy.google.com/~r/augbusv/~3/XzFbW9_QfPk/apetizer.php
- http://feedproxy.google.com/~r/bhascjx/~3/sWg2mC0LYlI/accordant.php
- http://feedproxy.google.com/~r/blkivy/~3/gxJDvfFi_EE/pellagrous.php
- http://feedproxy.google.com/~r/dqzwmrbgyz/~3/EPsPm6mXk2A/fiche.php
- http://feedproxy.google.com/~r/ggrfukmx/~3/D4RY9qnpAA8/irishman.php
- http://feedproxy.google.com/~r/gudfzig/~3/dWwVv2qZOaY/nostalgic.php
- http://feedproxy.google.com/~r/iqyonmqay/~3/6u2eI3b-4Rc/substantially.php
- http://feedproxy.google.com/~r/jwqat/~3/ZNm-Kz9PQuM/woodenness.php
- http://feedproxy.google.com/~r/kunzisc/~3/LXmuChmfi2Q/allured.php
- http://feedproxy.google.com/~r/ldvqeuiw/~3/_jcg3wfbPTw/proofread.php
- http://feedproxy.google.com/~r/pjzokrkuuvg/~3/-029Oi4fUAU/union.php
- http://feedproxy.google.com/~r/qicwamb/~3/YIqL4GD4B0I/disembarkation.php
- http://feedproxy.google.com/~r/uaoumyq/~3/Wyc7fLZ46JI/indenting.php
- http://feedproxy.google.com/~r/umjsnqzidmv/~3/gTFbO3Uzr9A/local.php
- http://feedproxy.google.com/~r/wyfexrqdq/~3/_jcg3wfbPTw/proofread.php
- MALDOC REDIRECT DOWNLOAD URLS
- http://acrilicoporto.pt/fiche.php
- http://acrilicoporto.pt/indenting.php
- http://acrilicoporto.pt/union.php
- http://aracil24horas.com/proofread.php
- http://criticalcare.virologyconnect.org/peritonitic.php
- http://criticalcare.virologyconnect.org/woodenness.php
- http://likizoa-tac.jornadatrabalho.com.br/pellagrous.php
- http://likizoa-tac.jornadatrabalho.com.br/substantially.php
- http://likizoa-werner.jornadatrabalho.com.br/irishman.php
- http://loan-saathi.in/allured.php
- http://vulkanvegasbonus.ucargiyim.com/accordant.php
- http://vulkanvegasbonus.ucargiyim.com/apetizer.php
- https://greenfrites.com/nostalgic.php
- https://portal.controleautomacao.com.br/disembarkation.php
- https://vigerdis.com/local.php
- acrilicoporto.pt
- aracil24horas.com
- controleautomacao.com.br
- greenfrites.com
- jornadatrabalho.com.br
- loan-saathi.in
- ucargiyim.com
- vigerdis.com
- virologyconnect.org
- MALDOC FILE HASHES
- 291447db25c1e9f1bf9fb5f87d213bc6
- cf134f6c0f3d5573f59ea46810d782e4
- HANCITOR PAYLOAD FILE HASH
- ier.dll
- 33c5b39189125bc821585ff4769cd1b7
- HANCITOR C2
- http://metweveer.ru/8/forum.php
- http://omermancto.ru/8/forum.php
- http://wortlybeentax.com/8/forum.php
- FICKER STEALER DOWNLOAD URL
- http://4a5ikol.ru/7jkio8943wk.exe
- FICKER STEALER FILE HASH
- 7jkio8943wk.exe
- 270c3859591599642bd15167765246e3
- FICKER STEALER C2
- http://pospvisis.com
- COBALT STRIKE STAGER DOWNLOAD URLS
- http://4a5ikol.ru/1407.bin
- http://4a5ikol.ru/1407s.bin
- COBALT STRIKE STAGER FILE HASHES
- 1407.bin
- ee8283d406475b5015fe3faca2896b2d
- 1407s.bin
- 80c225a95caba77a72289472c73291df
- COBALT STRIKE BEACON DOWNLOAD URL
- http://207.148.23.64/Rcn9
- COBALT STRIKE BEACON FILE HASH
- Rcn9
- 2ce9fd855d3fd4316c7d46d28d183c16
- COBALT STRIKE C2
- http://207.148.23.64/ptj
- ADDITIONAL COBALT STRIKE URLS FROM STRINGS IN MEMORY
- https://207.148.23.64/vfM3
- https://207.148.23.64/fwlink
- COBALT STRIKE CONFIGURATION (from Didier Stevens 1768 Python script)
- File: Rcn9
- xorkey(chain): 0x3cb3a258
- length: 0x00033400
- payloadType: 0x10014fc2
- payloadSize: 0x00000000
- intxorkey: 0x00000000
- id2: 0x00000000
- Config found: xorkey b'.' 0x00030220 0x00033400
- 0x0001 payload type 0x0001 0x0002 0 windows-beacon_http-reverse_http
- 0x0002 port 0x0001 0x0002 80
- 0x0003 sleeptime 0x0002 0x0004 60000
- 0x0004 maxgetsize 0x0002 0x0004 1048576
- 0x0005 jitter 0x0001 0x0002 0
- 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- 0x0008 server,get-uri 0x0003 0x0100 '207.148.23.64,/ptj'
- 0x0043 0x0001 0x0002 0
- 0x0044 0x0002 0x0004 4294967295
- 0x0045 0x0002 0x0004 4294967295
- 0x0046 0x0002 0x0004 4294967295
- 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
- 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
- 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
- 0x001f CryptoScheme 0x0001 0x0002 0
- 0x001a get-verb 0x0003 0x0010 'GET'
- 0x001b post-verb 0x0003 0x0010 'POST'
- 0x001c HttpPostChunk 0x0002 0x0004 0
- 0x0025 license-id 0x0002 0x0004 0
- 0x0026 bStageCleanup 0x0001 0x0002 0
- 0x0027 bCFGCaution 0x0001 0x0002 0
- 0x0009 useragent 0x0003 0x0100 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)'
- 0x000a post-uri 0x0003 0x0040 '/submit.php'
- 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
- 0x000c http_get_header 0x0003 0x0200
- b'Cookie'
- 0x000d http_post_header 0x0003 0x0200
- b'&Content-Type: application/octet-stream'
- b'id'
- 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
- 0x0032 UsesCookies 0x0001 0x0002 1
- 0x0023 proxy_type 0x0001 0x0002 2 IE settings
- 0x003a 0x0003 0x0080 '\x00\x04'
- 0x0039 0x0003 0x0080 '\x00\x04'
- 0x0037 0x0001 0x0002 0
- 0x0028 killdate 0x0002 0x0004 0
- 0x0029 textSectionEnd 0x0002 0x0004 0
- 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
- 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
- 0x002d process-inject-min_alloc 0x0002 0x0004 0
- 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
- 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
- 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
- 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
- 0x0034 process-inject-allocation-method 0x0001 0x0002 0
- 0x0000
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement