API tools faq
paste
pandazheng

2021-07-13 Hancitor IOCs

pandazheng
Jul 13th, 2021
242
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.36 KB | None | 0 0
raw download clone embed print report
  1. THRET IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
  2.  
  3. HANCITOR BUILD NUMBER
  4. BUILD=1307_peat1
  5.  
  6. SUBJECTS OBSERVED
  7. You got invoice from DocuSign Electronic Service
  8. You got invoice from DocuSign Electronic Signature Service
  9. You got invoice from DocuSign Service
  10. You got invoice from DocuSign Signature Service
  11. You got notification from DocuSign Electronic Service
  12. You got notification from DocuSign Electronic Signature Service
  13. You got notification from DocuSign Service
  14. You received invoice from DocuSign Electronic Signature Service
  15. You received invoice from DocuSign Service
  16. You received invoice from DocuSign Signature Service
  17. You received notification from DocuSign Electronic Signature Service
  18. You received notification from DocuSign Signature Service
  19.  
  20. SENDERS OBSERVED
  21. [email protected]
  22. [email protected]
  23. [email protected]
  24. [email protected]
  25. [email protected]
  26. [email protected]
  27. [email protected]
  28. [email protected]
  29. [email protected]
  30. [email protected]
  31. [email protected]
  32. [email protected]
  33. [email protected]
  34. [email protected]
  35. [email protected]
  36. [email protected]
  37. [email protected]
  38. [email protected]
  39. [email protected]
  40.  
  41. MALDOC PROXY DISTRIBUTION URLS
  42. http://feedproxy.google.com/~r/bpeve/~3/A72JEWtgNXw/sunglasses.php
  43. http://feedproxy.google.com/~r/cknvsuf/~3/P7mMSNsQFv0/regimen.php
  44. http://feedproxy.google.com/~r/ggwdq/~3/hZEXmfySMJI/striven.php
  45. http://feedproxy.google.com/~r/ghwahnmpy/~3/j6LfaTYrU98/modal.php
  46. http://feedproxy.google.com/~r/goadmd/~3/5lNlNH18tdc/subjectivism.php
  47. http://feedproxy.google.com/~r/hmuhfaqfupk/~3/O_OaIbGFKDY/rigorous.php
  48. http://feedproxy.google.com/~r/hnfqm/~3/e9Z-6zNFzxo/mahogany.php
  49. http://feedproxy.google.com/~r/igprsuoyqg/~3/5K9jWCFcNbQ/agip.php
  50. http://feedproxy.google.com/~r/jhgswlltuh/~3/vd-NrW08WqI/japan.php
  51. http://feedproxy.google.com/~r/mssqbllwyj/~3/SUjVMdED-yI/workable.php
  52. http://feedproxy.google.com/~r/rakbuuh/~3/6eEGrimWNQQ/knee.php
  53. http://feedproxy.google.com/~r/rgqfyqto/~3/urV9_Ra6yJM/sanctifier.php
  54. http://feedproxy.google.com/~r/ugljvvfk/~3/s3YekZz6zg0/bindery.php
  55. http://feedproxy.google.com/~r/vksymd/~3/rgmhqIEKkgA/slurping.php
  56. http://feedproxy.google.com/~r/xwhmpnbmdww/~3/0GRXhzZkqEw/internetworking.php
  57. http://feedproxy.google.com/~r/xxslfyikj/~3/SUjVMdED-yI/workable.php
  58.  
  59. MALDOC REDIRECT DOWNLOAD URLS
  60. http://corpsdetexte.com/agip.php
  61. http://corpsdetexte.com/japan.php
  62. http://corpsdetexte.com/striven.php
  63. http://ezer.foundation/rigorous.php
  64. http://odas.ubicuo.site/workable.php
  65. http://sureshcaterers.com/slurping.php
  66. http://watertankcleaner.com/regimen.php
  67. http://www.mintechindia.com/sunglasses.php
  68. https://autoscrapforcash.com/bindery.php
  69. https://autoscrapforcash.com/knee.php
  70. https://autoscrapforcash.com/sanctifier.php
  71. https://development.goipcloud.co.ke/modal.php
  72. https://development.goipcloud.co.ke/subjectivism.php
  73. https://www.ivrvirtualsolutions.com/internetworking.php
  74. https://www.ivrvirtualsolutions.com/mahogany.php
  75.  
  76. autoscrapforcash.com
  77. corpsdetexte.com
  78. ezer.foundation
  79. goipcloud.co.ke
  80. ivrvirtualsolutions.com
  81. mintechindia.com
  82. sureshcaterers.com
  83. ubicuo.site
  84. watertankcleaner.com
  85.  
  86. MALDOC FILE HASHES (All the same)
  87. 90f6edec8143a64b6751812aa075ea0f
  88.  
  89. HANCITOR PAYLOAD FILE HASH
  90. ier.dll
  91. 4f1e738b6e75d32fc0c3cf3657247a9d
  92.  
  93. HANCITOR C2
  94. http://andiumentz.ru/8/forum.php
  95. http://shavegaref.ru/8/forum.php
  96. http://tagnicredga.com/8/forum.php
  97.  
  98. FICKER STEALER DOWNLOAD URL
  99. http://tryffeltinor.ru/7dfgdrttg6.exe
  100.  
  101. FICKER STEALER FILE HASH
  102. 7dfgdrttg6.exe
  103. 270c3859591599642bd15167765246e3
  104.  
  105. FICKER STEALER C2
  106. http://pospvisis.com
  107.  
  108. COBALT STRIKE STAGER DOWNLOAD URLS
  109. http://tryffeltinor.ru/1207.bin
  110. http://tryffeltinor.ru/1207s.bin
  111.  
  112. COBALT STRIKE STAGER FILE HASHES
  113. 1207.bin
  114. 26e559ca6e38cbafd20c1dd7484c2385
  115.  
  116. 1207s.bin
  117. ffd8acab871ffd27b08b6deb13bc363c
  118.  
  119. COBALT STRIKE BEACON DOWNLOAD URL
  120. http://92.119.157.74/8Qkh
  121.  
  122. COBALT STRIKE BEACON FILE HASH
  123. 8Qkh
  124. 261db9a2054262e6c18c07c7ddd42a95
  125.  
  126. COBALT STRIKE C2
  127. http://92.119.157.74/dot.gif
  128. http://92.119.157.74/submit.php?id=45682440
  129.  
  130. ADDITIONAL COBALT STRIKE URLS FROM STRINGS IN MEMORY
  131. https://92.119.157.74/Bsr5
  132. https://92.119.157.74/IE9CompatViewList.xml
  133. https://92.119.157.74/submit.php?id=1906916994
  134.  
  135.  
  136. COBALT STRIKE BEACON CONFIGURATION
  137. 0x0004 maxgetsize 0x0002 0x0004 1048576
  138. 0x0005 jitter 0x0001 0x0002 0
  139. 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  140. 0x0008 server,get-uri 0x0003 0x0100 '92.119.157.74,/dot.gif'
  141. 0x0043 0x0001 0x0002 0
  142. 0x0044 0x0002 0x0004 4294967295
  143. 0x0045 0x0002 0x0004 4294967295
  144. 0x0046 0x0002 0x0004 4294967295
  145. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
  146. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
  147. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
  148. 0x001f CryptoScheme 0x0001 0x0002 0
  149. 0x001a get-verb 0x0003 0x0010 'GET'
  150. 0x001b post-verb 0x0003 0x0010 'POST'
  151. 0x001c HttpPostChunk 0x0002 0x0004 0
  152. 0x0025 license-id 0x0002 0x0004 0
  153. 0x0026 bStageCleanup 0x0001 0x0002 0
  154. 0x0027 bCFGCaution 0x0001 0x0002 0
  155. 0x0009 useragent 0x0003 0x0100 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)'
  156. 0x000a post-uri 0x0003 0x0040 '/submit.php'
  157. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
  158. 0x000c http_get_header 0x0003 0x0200
  159. b'Cookie'
  160. 0x000d http_post_header 0x0003 0x0200
  161. b'&Content-Type: application/octet-stream'
  162. b'id'
  163. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
  164. 0x0032 UsesCookies 0x0001 0x0002 1
  165. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
  166. 0x003a 0x0003 0x0080 '\x00\x04'
  167. 0x0039 0x0003 0x0080 '\x00\x04'
  168. 0x0037 0x0001 0x0002 0
  169. 0x0028 killdate 0x0002 0x0004 0
  170. 0x0029 textSectionEnd 0x0002 0x0004 0
  171. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  172. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  173. 0x002d process-inject-min_alloc 0x0002 0x0004 0
  174. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
  175. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
  176. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
  177. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
  178. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
  179. 0x0000
  180.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!