2021-07-13 Hancitor IOCs

1. THRET IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=1307_peat1
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You got notification from DocuSign Service
14. You received invoice from DocuSign Electronic Signature Service
15. You received invoice from DocuSign Service
16. You received invoice from DocuSign Signature Service
17. You received notification from DocuSign Electronic Signature Service
18. You received notification from DocuSign Signature Service
19.  
20. SENDERS OBSERVED
21. brdeabu@creditural.com
22. copqwd@creditural.com
23. ekyjuny@creditural.com
24. hiwilm@creditural.com
25. ji@creditural.com
26. kuaegca@creditural.com
27. lqltyae@creditural.com
28. lyowoh@creditural.com
29. mayvtef@creditural.com
30. mvu@creditural.com
31. nlopoea@creditural.com
32. oyesvio@creditural.com
33. phlea@creditural.com
34. q@creditural.com
35. qy@creditural.com
36. ryoocel@creditural.com
37. siyniku@creditural.com
38. vosuvjr@creditural.com
39. vy@creditural.com
40.  
41. MALDOC PROXY DISTRIBUTION URLS
42. http://feedproxy.google.com/~r/bpeve/~3/A72JEWtgNXw/sunglasses.php
43. http://feedproxy.google.com/~r/cknvsuf/~3/P7mMSNsQFv0/regimen.php
44. http://feedproxy.google.com/~r/ggwdq/~3/hZEXmfySMJI/striven.php
45. http://feedproxy.google.com/~r/ghwahnmpy/~3/j6LfaTYrU98/modal.php
46. http://feedproxy.google.com/~r/goadmd/~3/5lNlNH18tdc/subjectivism.php
47. http://feedproxy.google.com/~r/hmuhfaqfupk/~3/O_OaIbGFKDY/rigorous.php
48. http://feedproxy.google.com/~r/hnfqm/~3/e9Z-6zNFzxo/mahogany.php
49. http://feedproxy.google.com/~r/igprsuoyqg/~3/5K9jWCFcNbQ/agip.php
50. http://feedproxy.google.com/~r/jhgswlltuh/~3/vd-NrW08WqI/japan.php
51. http://feedproxy.google.com/~r/mssqbllwyj/~3/SUjVMdED-yI/workable.php
52. http://feedproxy.google.com/~r/rakbuuh/~3/6eEGrimWNQQ/knee.php
53. http://feedproxy.google.com/~r/rgqfyqto/~3/urV9_Ra6yJM/sanctifier.php
54. http://feedproxy.google.com/~r/ugljvvfk/~3/s3YekZz6zg0/bindery.php
55. http://feedproxy.google.com/~r/vksymd/~3/rgmhqIEKkgA/slurping.php
56. http://feedproxy.google.com/~r/xwhmpnbmdww/~3/0GRXhzZkqEw/internetworking.php
57. http://feedproxy.google.com/~r/xxslfyikj/~3/SUjVMdED-yI/workable.php
58.  
59. MALDOC REDIRECT DOWNLOAD URLS
60. http://corpsdetexte.com/agip.php
61. http://corpsdetexte.com/japan.php
62. http://corpsdetexte.com/striven.php
63. http://ezer.foundation/rigorous.php
64. http://odas.ubicuo.site/workable.php
65. http://sureshcaterers.com/slurping.php
66. http://watertankcleaner.com/regimen.php
67. http://www.mintechindia.com/sunglasses.php
68. https://autoscrapforcash.com/bindery.php
69. https://autoscrapforcash.com/knee.php
70. https://autoscrapforcash.com/sanctifier.php
71. https://development.goipcloud.co.ke/modal.php
72. https://development.goipcloud.co.ke/subjectivism.php
73. https://www.ivrvirtualsolutions.com/internetworking.php
74. https://www.ivrvirtualsolutions.com/mahogany.php
75.  
76. autoscrapforcash.com
77. corpsdetexte.com
78. ezer.foundation
79. goipcloud.co.ke
80. ivrvirtualsolutions.com
81. mintechindia.com
82. sureshcaterers.com
83. ubicuo.site
84. watertankcleaner.com
85.  
86. MALDOC FILE HASHES (All the same)
87. 90f6edec8143a64b6751812aa075ea0f
88.  
89. HANCITOR PAYLOAD FILE HASH
90. ier.dll
91. 4f1e738b6e75d32fc0c3cf3657247a9d
92.  
93. HANCITOR C2
94. http://andiumentz.ru/8/forum.php
95. http://shavegaref.ru/8/forum.php
96. http://tagnicredga.com/8/forum.php
97.  
98. FICKER STEALER DOWNLOAD URL
99. http://tryffeltinor.ru/7dfgdrttg6.exe
100.  
101. FICKER STEALER FILE HASH
102. 7dfgdrttg6.exe
103. 270c3859591599642bd15167765246e3
104.  
105. FICKER STEALER C2
106. http://pospvisis.com
107.  
108. COBALT STRIKE STAGER DOWNLOAD URLS
109. http://tryffeltinor.ru/1207.bin
110. http://tryffeltinor.ru/1207s.bin
111.  
112. COBALT STRIKE STAGER FILE HASHES
113. 1207.bin
114. 26e559ca6e38cbafd20c1dd7484c2385
115.  
116. 1207s.bin
117. ffd8acab871ffd27b08b6deb13bc363c
118.  
119. COBALT STRIKE BEACON DOWNLOAD URL
120. http://92.119.157.74/8Qkh
121.  
122. COBALT STRIKE BEACON FILE HASH
123. 8Qkh
124. 261db9a2054262e6c18c07c7ddd42a95
125.  
126. COBALT STRIKE C2
127. http://92.119.157.74/dot.gif
128. http://92.119.157.74/submit.php?id=45682440
129.  
130. ADDITIONAL COBALT STRIKE URLS FROM STRINGS IN MEMORY
131. https://92.119.157.74/Bsr5
132. https://92.119.157.74/IE9CompatViewList.xml
133. https://92.119.157.74/submit.php?id=1906916994
134.  
135.  
136. COBALT STRIKE BEACON CONFIGURATION
137. 0x0004 maxgetsize 0x0002 0x0004 1048576
138. 0x0005 jitter 0x0001 0x0002 0
139. 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
140. 0x0008 server,get-uri 0x0003 0x0100 '92.119.157.74,/dot.gif'
141. 0x0043 0x0001 0x0002 0
142. 0x0044 0x0002 0x0004 4294967295
143. 0x0045 0x0002 0x0004 4294967295
144. 0x0046 0x0002 0x0004 4294967295
145. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
146. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
147. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
148. 0x001f CryptoScheme 0x0001 0x0002 0
149. 0x001a get-verb 0x0003 0x0010 'GET'
150. 0x001b post-verb 0x0003 0x0010 'POST'
151. 0x001c HttpPostChunk 0x0002 0x0004 0
152. 0x0025 license-id 0x0002 0x0004 0
153. 0x0026 bStageCleanup 0x0001 0x0002 0
154. 0x0027 bCFGCaution 0x0001 0x0002 0
155. 0x0009 useragent 0x0003 0x0100 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)'
156. 0x000a post-uri 0x0003 0x0040 '/submit.php'
157. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
158. 0x000c http_get_header 0x0003 0x0200
159. b'Cookie'
160. 0x000d http_post_header 0x0003 0x0200
161. b'&Content-Type: application/octet-stream'
162. b'id'
163. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
164. 0x0032 UsesCookies 0x0001 0x0002 1
165. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
166. 0x003a 0x0003 0x0080 '\x00\x04'
167. 0x0039 0x0003 0x0080 '\x00\x04'
168. 0x0037 0x0001 0x0002 0
169. 0x0028 killdate 0x0002 0x0004 0
170. 0x0029 textSectionEnd 0x0002 0x0004 0
171. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
172. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
173. 0x002d process-inject-min_alloc 0x0002 0x0004 0
174. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
175. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
176. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
177. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
178. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
179. 0x0000
180.