2021-02-25 Hancitor with Cobalt Strike IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. HANCITOR BUILD
4. BUILD=2502_ser3402
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Service
9. You got notification from DocuSign Service
10. You got notification from DocuSign Signature Service
11. You received invoice from DocuSign Electronic Signature Service
12.  
13. SENDERS OBSERVED
14. cilegsi@alumalodge.fish
15. eky@alumalodge.fish
16. gbjb@alumalodge.fish
17. o@alumalodge.fish
18. omeuao@alumalodge.fish
19. pdeugau@alumalodge.fish
20. udiuwig@alumalodge.fish
21. uvpi@alumalodge.fish
22. xxwsxex@alumalodge.fish
23.  
24. MALDOC LANDING PAGE URLS
25. https://docs.google.com/document/d/e/2PACX-1vQ_iB254FLZwex_SMtN1bYyqc9cAwxV51Az9MCiJh0yrgprVjrxalbkw4mEgagakJfve6XTSf3fyP-m/pub
26. https://docs.google.com/document/d/e/2PACX-1vQ_UEesgTo9XOh6sV3jReYaUKNkrZOcPsd5-jloT40W2EMSMjF1fa0mSt34KjOHD9SbIYdYmPpzDX0H/pub
27. https://docs.google.com/document/d/e/2PACX-1vQeZKhFLekudqH3SSwsm2cc_X4AMMZb7KSrHqL5EZ0I3JHODeQKm7ap34GwWRRUzraQShIhiwPBCbIJ/pub
28. https://docs.google.com/document/d/e/2PACX-1vRbBTctItvpIsRVS1B6G7eS6WHFcJZvk2jWAwdZ0OV-uAoHOfqR_he9BAIF_rI5uDC891PzpnOLSdMm/pub
29. https://docs.google.com/document/d/e/2PACX-1vRiZWs38eBJl6meJPSFY2n8C25-FdvSRAhpBf-cUDDYHbCGCHhKdJYJY235mwYdsBLzJHJZlYZgLciM/pub
30. https://docs.google.com/document/d/e/2PACX-1vS2xXZgf6hNt6zT8z90MneOAAb1um1Er7Cwe6nnlWbyfVDzomOWwNCB32YJmvfELTrP0eE7lZo0iYYu/pub
31. https://docs.google.com/document/d/e/2PACX-1vT03x_9-U0Q7CUikEnNeebwSj6e8ZSmcaOdDoAMlfueLiWEL9pKY67j14KD-CyzP_n20bvpCg0ZZgyr/pub
32. https://docs.google.com/document/d/e/2PACX-1vTghdcY921fCwuju7Y7Htf52IvtbdCo1uxKs5JBQErhrIO84GMbYDK7ScCw8zTr4emwvpiglNd_MiHa/pub
33. https://docs.google.com/document/d/e/2PACX-1vTudh0fa8ddJIUHwzvFNFCeIAHQ4GSRi1l07Rf0PcaNlNi2afpbp4GhC23HvbH3mrKg8_TifpPrhLGz/pub
34.  
35. MALDOC DISTRIBUTION URLS
36. https://4spoiltboyz.co.za/magnet.php
37. https://4spoiltboyz.co.za/rebus.php
38. https://buahpinggang.my/driftage.php
39. https://cocam.com.br/app/webroot/imagens/chamadas/recalcitrant.php
40. https://wp.webmavens.com/wp-content/awhirl.php
41.  
42. 4spoiltboyz.co.za
43. buahpinggang.my
44. cocam.com.br
45. webmavens.com
46.  
47. HANCITOR MALDOC FILE NAMES
48. 0225_6931906569242.doc
49. fc95d6794c9551d41ca64699dba7831e
50.  
51. 0225_45868432836132.doc
52. e675dc56b3a2044fcdac9f36fd48ad0e
53.  
54. 0225_4384219621562.doc
55. 7903732249da4ff1cfb1c05a39570d2e
56.  
57. HANCITOR MALDOC FILE HASHES
58. 7903732249da4ff1cfb1c05a39570d2e
59. e675dc56b3a2044fcdac9f36fd48ad0e
60. fc95d6794c9551d41ca64699dba7831e
61.  
62. HANCITOR PAYLOAD FILE HASH
63. Static.dll
64. 1272d3d1b2e63bf3a7111200957f4fe6
65.  
66. HANCITOR C2
67. http://speritentz.com/8/forum.php
68. http://afternearde.ru/8/forum.php
69. http://counivicop.ru/8/forum.php
70.  
71. FICKER STEALER PAYLOAD URLS
72. http://wouatiareves.ru/6hy67438ue.exe
73.  
74. FICKER STEALER FILE HASH
75. 6hy67438ue.exe
76. 77be0dd6570301acac3634801676b5d7
77.  
78. FICKER STEALER C2
79. http://sweyblidian.com
80.  
81. COBALT STRIKE PAYLOAD URLS
82. http://wouatiareves.ru/2502.bin
83. http://wouatiareves.ru/2502s.bin
84.  
85. COBALT STRIKE FILE HASHES
86. 2502.bin
87. a62f0f63412325dbdf7827847c00b94f
88.  
89. 2502s.bin
90. 639c23bc846ab4ed33d036be7119f336
91.  
92. COBALT STRIKE TRAFFIC
93. http://64.52.168.229:8080/7ySY
94. http://64.52.168.229:8080/ptj
95.