Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THRET IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
- HANCITOR BUILD NUMBER
- BUILD=1307_peat1
- SUBJECTS OBSERVED
- You got invoice from DocuSign Electronic Service
- You got invoice from DocuSign Electronic Signature Service
- You got invoice from DocuSign Service
- You got invoice from DocuSign Signature Service
- You got notification from DocuSign Electronic Service
- You got notification from DocuSign Electronic Signature Service
- You got notification from DocuSign Service
- You received invoice from DocuSign Electronic Signature Service
- You received invoice from DocuSign Service
- You received invoice from DocuSign Signature Service
- You received notification from DocuSign Electronic Signature Service
- You received notification from DocuSign Signature Service
- SENDERS OBSERVED
- brdeabu@creditural.com
- copqwd@creditural.com
- ekyjuny@creditural.com
- hiwilm@creditural.com
- ji@creditural.com
- kuaegca@creditural.com
- lqltyae@creditural.com
- lyowoh@creditural.com
- mayvtef@creditural.com
- mvu@creditural.com
- nlopoea@creditural.com
- oyesvio@creditural.com
- phlea@creditural.com
- q@creditural.com
- qy@creditural.com
- ryoocel@creditural.com
- siyniku@creditural.com
- vosuvjr@creditural.com
- vy@creditural.com
- MALDOC PROXY DISTRIBUTION URLS
- http://feedproxy.google.com/~r/bpeve/~3/A72JEWtgNXw/sunglasses.php
- http://feedproxy.google.com/~r/cknvsuf/~3/P7mMSNsQFv0/regimen.php
- http://feedproxy.google.com/~r/ggwdq/~3/hZEXmfySMJI/striven.php
- http://feedproxy.google.com/~r/ghwahnmpy/~3/j6LfaTYrU98/modal.php
- http://feedproxy.google.com/~r/goadmd/~3/5lNlNH18tdc/subjectivism.php
- http://feedproxy.google.com/~r/hmuhfaqfupk/~3/O_OaIbGFKDY/rigorous.php
- http://feedproxy.google.com/~r/hnfqm/~3/e9Z-6zNFzxo/mahogany.php
- http://feedproxy.google.com/~r/igprsuoyqg/~3/5K9jWCFcNbQ/agip.php
- http://feedproxy.google.com/~r/jhgswlltuh/~3/vd-NrW08WqI/japan.php
- http://feedproxy.google.com/~r/mssqbllwyj/~3/SUjVMdED-yI/workable.php
- http://feedproxy.google.com/~r/rakbuuh/~3/6eEGrimWNQQ/knee.php
- http://feedproxy.google.com/~r/rgqfyqto/~3/urV9_Ra6yJM/sanctifier.php
- http://feedproxy.google.com/~r/ugljvvfk/~3/s3YekZz6zg0/bindery.php
- http://feedproxy.google.com/~r/vksymd/~3/rgmhqIEKkgA/slurping.php
- http://feedproxy.google.com/~r/xwhmpnbmdww/~3/0GRXhzZkqEw/internetworking.php
- http://feedproxy.google.com/~r/xxslfyikj/~3/SUjVMdED-yI/workable.php
- MALDOC REDIRECT DOWNLOAD URLS
- http://corpsdetexte.com/agip.php
- http://corpsdetexte.com/japan.php
- http://corpsdetexte.com/striven.php
- http://ezer.foundation/rigorous.php
- http://odas.ubicuo.site/workable.php
- http://sureshcaterers.com/slurping.php
- http://watertankcleaner.com/regimen.php
- http://www.mintechindia.com/sunglasses.php
- https://autoscrapforcash.com/bindery.php
- https://autoscrapforcash.com/knee.php
- https://autoscrapforcash.com/sanctifier.php
- https://development.goipcloud.co.ke/modal.php
- https://development.goipcloud.co.ke/subjectivism.php
- https://www.ivrvirtualsolutions.com/internetworking.php
- https://www.ivrvirtualsolutions.com/mahogany.php
- autoscrapforcash.com
- corpsdetexte.com
- ezer.foundation
- goipcloud.co.ke
- ivrvirtualsolutions.com
- mintechindia.com
- sureshcaterers.com
- ubicuo.site
- watertankcleaner.com
- MALDOC FILE HASHES (All the same)
- 90f6edec8143a64b6751812aa075ea0f
- HANCITOR PAYLOAD FILE HASH
- ier.dll
- 4f1e738b6e75d32fc0c3cf3657247a9d
- HANCITOR C2
- http://andiumentz.ru/8/forum.php
- http://shavegaref.ru/8/forum.php
- http://tagnicredga.com/8/forum.php
- FICKER STEALER DOWNLOAD URL
- http://tryffeltinor.ru/7dfgdrttg6.exe
- FICKER STEALER FILE HASH
- 7dfgdrttg6.exe
- 270c3859591599642bd15167765246e3
- FICKER STEALER C2
- http://pospvisis.com
- COBALT STRIKE STAGER DOWNLOAD URLS
- http://tryffeltinor.ru/1207.bin
- http://tryffeltinor.ru/1207s.bin
- COBALT STRIKE STAGER FILE HASHES
- 1207.bin
- 26e559ca6e38cbafd20c1dd7484c2385
- 1207s.bin
- ffd8acab871ffd27b08b6deb13bc363c
- COBALT STRIKE BEACON DOWNLOAD URL
- http://92.119.157.74/8Qkh
- COBALT STRIKE BEACON FILE HASH
- 8Qkh
- 261db9a2054262e6c18c07c7ddd42a95
- COBALT STRIKE C2
- http://92.119.157.74/dot.gif
- http://92.119.157.74/submit.php?id=45682440
- ADDITIONAL COBALT STRIKE URLS FROM STRINGS IN MEMORY
- https://92.119.157.74/Bsr5
- https://92.119.157.74/IE9CompatViewList.xml
- https://92.119.157.74/submit.php?id=1906916994
- COBALT STRIKE BEACON CONFIGURATION
- 0x0004 maxgetsize 0x0002 0x0004 1048576
- 0x0005 jitter 0x0001 0x0002 0
- 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- 0x0008 server,get-uri 0x0003 0x0100 '92.119.157.74,/dot.gif'
- 0x0043 0x0001 0x0002 0
- 0x0044 0x0002 0x0004 4294967295
- 0x0045 0x0002 0x0004 4294967295
- 0x0046 0x0002 0x0004 4294967295
- 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
- 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
- 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
- 0x001f CryptoScheme 0x0001 0x0002 0
- 0x001a get-verb 0x0003 0x0010 'GET'
- 0x001b post-verb 0x0003 0x0010 'POST'
- 0x001c HttpPostChunk 0x0002 0x0004 0
- 0x0025 license-id 0x0002 0x0004 0
- 0x0026 bStageCleanup 0x0001 0x0002 0
- 0x0027 bCFGCaution 0x0001 0x0002 0
- 0x0009 useragent 0x0003 0x0100 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)'
- 0x000a post-uri 0x0003 0x0040 '/submit.php'
- 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
- 0x000c http_get_header 0x0003 0x0200
- b'Cookie'
- 0x000d http_post_header 0x0003 0x0200
- b'&Content-Type: application/octet-stream'
- b'id'
- 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
- 0x0032 UsesCookies 0x0001 0x0002 1
- 0x0023 proxy_type 0x0001 0x0002 2 IE settings
- 0x003a 0x0003 0x0080 '\x00\x04'
- 0x0039 0x0003 0x0080 '\x00\x04'
- 0x0037 0x0001 0x0002 0
- 0x0028 killdate 0x0002 0x0004 0
- 0x0029 textSectionEnd 0x0002 0x0004 0
- 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
- 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
- 0x002d process-inject-min_alloc 0x0002 0x0004 0
- 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
- 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
- 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
- 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
- 0x0034 process-inject-allocation-method 0x0001 0x0002 0
- 0x0000
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement