API tools faq
paste
Advertisement
ExecuteMalware

2021-03-04 Hancitor IOCs

ExecuteMalware
Mar 4th, 2021
4,026
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.68 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: HANCITOR / COBALT STRIKE
  2.  
  3. HANCITOR BUILD
  4. BUILD=0403_nores34
  5.  
  6. SUBJECTS OBSERVED
  7. You got invoice from DocuSign Electronic Service
  8. You got invoice from DocuSign Electronic Signature Service
  9. You got invoice from DocuSign Signature Service
  10. You got notification from DocuSign Electronic Signature Service
  11. You got notification from DocuSign Service
  12. You received invoice from DocuSign Electronic Service
  13. You received invoice from DocuSign Service
  14. You received notification from DocuSign Electronic Service
  15. You received notification from DocuSign Electronic Signature Service
  16. You received notification from DocuSign Service
  17. You received notification from DocuSign Signature Service
  18.  
  19. SENDERS OBSERVED
  20. ajt@snowexonline.com
  21. aniveaj@snowexonline.com
  22. creadfw@snowexonline.com
  23. egeszeu@snowexonline.com
  24. equoagr@snowexonline.com
  25. esaluff@snowexonline.com
  26. fosoxne@snowexonline.com
  27. gopiznr@snowexonline.com
  28. hieyso@snowexonline.com
  29. lyhitaz@snowexonline.com
  30. nnoi@snowexonline.com
  31. oehnu@snowexonline.com
  32. oeywo@snowexonline.com
  33. xixuniv@snowexonline.com
  34.  
  35. MALDOC LANDING PAGE URLS
  36. https://docs.google.com/document/d/e/2PACX-1vQkYvPU24UHJLynDjQ25iRce5x73XuBlY8psz1v6RLdaAK8JQt4mYm93_4RB9b13hZHg0vOHG85aqub/pub
  37. https://docs.google.com/document/d/e/2PACX-1vQOJN73n-i1JBQbqxEqgqKqMtLBUyXUD3MHJqcLOZyKpcsUvI1aAI8PA0Pa4jKFntZ3m8J8u55W-1ye/pub
  38. https://docs.google.com/document/d/e/2PACX-1vQoPLK79pc1M6JRgGKM3U6Zfub4EPSNepf0MhVOTezOBVcpd8eQk9sSQIJikBPvMUwSYfAL16GIH2gZ/pub
  39. https://docs.google.com/document/d/e/2PACX-1vRE1ybUAsRj-4TyUlfpeskJR9eVxIKwDScs9NEkakEmH1ZXyt_LxuyTe2yV0vy7Y3uLQRmgCyznzvn9/pub
  40. https://docs.google.com/document/d/e/2PACX-1vRyIiKdNjduDmviehJXbvGunz9zTyox1t9skocoKZ5n9Q_dyoHVxLba_S5OXU-X5Sn1mlwTq_T0tA0N/pub
  41. https://docs.google.com/document/d/e/2PACX-1vS8lwl_gAnJaWYujFM_zrJlSoThA1no4V5gqhAs5Q_Cbgjb1WKM3I0TExKYrDf7et9DnQEf1V8uR7fP/pub
  42. https://docs.google.com/document/d/e/2PACX-1vSqO9dMUxcFkCY1US1-ykUljKNSonW37UmZsE3pFFPQQ539Hz4eHhOdW8KccXeH64Uh0UeKei6Tulbw/pub
  43. https://docs.google.com/document/d/e/2PACX-1vSTnAraWhZFAWzAQv6xyf9sWk0oqUcjbzmYTaUZSG_edrfj_FAj8nC-SeFxJODwsVfqGNY6ErQ1qSi9/pub
  44. https://docs.google.com/document/d/e/2PACX-1vSyZawSqrd0CQcartqL8DkxWYCEWJ-l33lZkVa2hPUTopSN_2ZBLyCPwA3idJzCrCwbdRnfELRbbSU-/pub
  45. https://docs.google.com/document/d/e/2PACX-1vT87tY-Y4ToX4InBmkCbRyJD3hd2Q8QrKH8N1WA-CUzGuc7TuqssBxlsrurUIurcMOAbo3_GjzlHtwT/pub
  46. https://docs.google.com/document/d/e/2PACX-1vTeNivpzYo1Ck3u1Asa20p0_chu6UTFhQdpAj3Ewo1Kh2mjy47wwlobF8l6y1pvqP_KtsIfDOvDSbiZ/pub
  47. https://docs.google.com/document/d/e/2PACX-1vTHdHOtlDts6WnCYAmKaTA3r_wSVtIYttrAHajuyRgq_0rmJOjkb_KSQUFROmP0sqXVbP7yNpksfCYA/pub
  48. https://docs.google.com/document/d/e/2PACX-1vTjYkU9CfU5rjiwt1mVarAMLARzIfAYIICys7trq2i_-B7qa5QCkw-2AYV3gBrb5Xe_yR-Cdydm3odg/pub
  49.  
  50. MALDOC DISTRIBUTION URLS
  51. https://m7a.rgstage.com/airworthy.php
  52. https://lemicapaper.com/maritime.php
  53. https://alaseeldates.com/respirator.php
  54. http://rxquickpay.com/replacing.php
  55.  
  56. HANCITOR MALDOC FILE HASHES
  57. 7ba91fe733a2b27af2c602525151305d
  58. d778b79cc5390c3811725cd5139d9979
  59. df25295ccde09b82d7bc0ae808566738
  60.  
  61. HANCITOR PAYLOAD FILE HASH
  62. Static.dll
  63. b6675ddf8a99e0103b4c18655ead94fd
  64.  
  65. HANCITOR C2
  66. http://throsesspeotte.com/8/forum.php
  67. http://imilifeesinci.ru/8/forum.php
  68. http://publearysuc.ru/8/forum.php
  69.  
  70. FICKER STEALER PAYLOAD URLS
  71. http://baadababada.ru/6jhfa478.exe
  72.  
  73. FICKER STEALER FILE HASH
  74. 6jhfa478.exe
  75. 77be0dd6570301acac3634801676b5d7
  76.  
  77. FICKER STEALER C2
  78. http://sweyblidian.com
  79.  
  80. COBALT STRIKE PAYLOAD URLS
  81. http://baadababada.ru/0303.bin
  82. http://baadababada.ru/0303s.bin
  83.  
  84. COBALT STRIKE FILE HASHES
  85. 0303s.bin
  86. a46e64f8667a0c1dc2810c92c8453f91
  87.  
  88. 0303.bin
  89. d7c42ce4f084c429185b994bbdd2fb68
  90.  
  91. COBALT STRIKE TRAFFIC
  92. http://51.81.142.72/uNPI
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!