2021-07-01 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=2806_ldfa1
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Signature Service
12. You got notification from DocuSign Signature Service
13. You received invoice from DocuSign Electronic Service
14. You received invoice from DocuSign Electronic Signature Service
15. You received invoice from DocuSign Service
16. You received invoice from DocuSign Signature Service
17. You received notification from DocuSign Electronic Service
18. You received notification from DocuSign Electronic Signature Service
19. You received notification from DocuSign Service
20. You received notification from DocuSign Signature Service
21.  
22. SENDERS OBSERVED
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63. [email protected]
64. [email protected]
65. [email protected]
66. [email protected]
67. [email protected]
68. [email protected]
69.  
70. MALDOC PROXY DISTRIBUTION URLS
71. http://feedproxy.google.com/~r/afubkyadw/~3/W8TDwP-aCsA/shadowboxing.php
72. http://feedproxy.google.com/~r/ajtaluq/~3/BHas8Qaf2pw/liniment.php
73. http://feedproxy.google.com/~r/bpbsdeoaexf/~3/jSgDuetsZbA/fineness.php
74. http://feedproxy.google.com/~r/bumpro/~3/6Put3tH7alQ/smitten.php
75. http://feedproxy.google.com/~r/cduwwzkg/~3/dF0DLhBadro/await.php
76. http://feedproxy.google.com/~r/csiuor/~3/UmWE7aKqEa8/distemper.php
77. http://feedproxy.google.com/~r/dzeywlnner/~3/42ThwIJW4p8/scantling.php
78. http://feedproxy.google.com/~r/fbixnijnz/~3/FAWU0S23G2U/foundling.php
79. http://feedproxy.google.com/~r/fdhkmwqsyv/~3/TTUf3hfqqV4/terminologist.php
80. http://feedproxy.google.com/~r/flosuusnz/~3/LsLexMc3JBM/tacit.php
81. http://feedproxy.google.com/~r/izoeo/~3/OO1Mhb0WCyU/women.php
82. http://feedproxy.google.com/~r/jklzm/~3/OeJu1g3eTlY/sailfish.php
83. http://feedproxy.google.com/~r/jtzifdls/~3/wRyBFahZdpc/respects.php
84. http://feedproxy.google.com/~r/krxydhl/~3/HzYz3AAH2ts/colloid.php
85. http://feedproxy.google.com/~r/laqqikm/~3/gpLNiUKyTNU/existent.php
86. http://feedproxy.google.com/~r/lsnqp/~3/rL7_7aqzyyc/seisms.php
87. http://feedproxy.google.com/~r/mkgchoa/~3/A5936nfsab0/serigraphy.php
88. http://feedproxy.google.com/~r/mwzuzfosf/~3/jSgDuetsZbA/fineness.php
89. http://feedproxy.google.com/~r/neyziwzs/~3/fKCpZlfZKlA/physiographic.php
90. http://feedproxy.google.com/~r/pgvzndw/~3/MRQwELy7ev8/titanium.php
91. http://feedproxy.google.com/~r/qgkeo/~3/XNVtFqP-Zus/blockmark.php
92. http://feedproxy.google.com/~r/stwwuc/~3/paDwGMmON7Y/dropping.php
93. http://feedproxy.google.com/~r/suunph/~3/OmtH9VFvy4w/seperatism.php
94. http://feedproxy.google.com/~r/teeuq/~3/vBCdzLM-FmU/skittish.php
95. http://feedproxy.google.com/~r/tiwtopbrjq/~3/WBgwPaVjygo/monk.php
96. http://feedproxy.google.com/~r/tpcdf/~3/pgVIFxclWAg/phasic.php
97. http://feedproxy.google.com/~r/ulpchz/~3/mxaYqayNLXk/trichotomy.php
98. http://feedproxy.google.com/~r/vxpdjpngzkk/~3/d7Ujr1E9Pu8/warship.php
99. http://feedproxy.google.com/~r/wfpjvnv/~3/AGIoaLi5K70/stratigraphic.php
100. http://feedproxy.google.com/~r/wjwrkbwealt/~3/6Put3tH7alQ/smitten.php
101. http://feedproxy.google.com/~r/wktwibdfdtx/~3/ioCq6SAXKvQ/geriatric.php
102. http://feedproxy.google.com/~r/wtgcnccfbjx/~3/n4pM2AVidqc/oxides.php
103. http://feedproxy.google.com/~r/xvyvb/~3/HzYz3AAH2ts/colloid.php
104. http://feedproxy.google.com/~r/ybjtmhl/~3/n7G6502qxgU/wiper.php
105. http://feedproxy.google.com/~r/zfwpgri/~3/7AqSTm_giDk/codify.php
106.  
107. MALDOC REDIRECT DOWNLOAD URLS
108. http://advansys.com.ar/liniment.php
109. http://arboonksa.com/titanium.php
110. http://arboonksa.com/trichotomy.php
111. http://buddy-pad.com/existent.php
112. http://callbizapp.com/geriatric.php
113. http://callbizapp.com/warship.php
114. http://dallaswebserv.com/distemper.php
115. http://dallaswebserv.com/wiper.php
116. http://destination.dgi.is/codify.php
117. http://dinfotechs.com/monk.php
118. http://facebook.commit.capitaluniversity.net/physiographic.php
119. http://insolvenzthemen.de/shadowboxing.php
120. http://insolvenzthemen.de/skittish.php
121. http://insolvenzthemen.de/tacit.php
122. http://jeanscolors.com/terminologist.php
123. http://kafrawifood.com/phasic.php
124. http://mingalarorchidfamily.com/seperatism.php
125. http://rangsay.com/serigraphy.php
126. http://storiafrica.com/colloid.php
127. http://storiafrica.com/fineness.php
128. http://storiafrica.com/respects.php
129. http://sultanaexecutive.com/sailfish.php
130. http://sultanaexecutive.com/seisms.php
131. http://sultanaexecutive.com/stratigraphic.php
132. http://sultanaexecutive.com/women.php
133. http://thehaider.com/await.php
134. https://carpet.awesometrips.net/blockmark.php
135. https://carpet.awesometrips.net/dropping.php
136. https://carpet.awesometrips.net/oxides.php
137. https://carpet.awesometrips.net/smitten.php
138. https://www.adstudiophotography.com/foundling.php
139. https://www.adstudiophotography.com/scantling.php
140.  
141. adstudiophotography.com
142. advansys.com.ar
143. arboonksa.com
144. awesometrips.net
145. buddy-pad.com
146. callbizapp.com
147. capitaluniversity.net
148. dallaswebserv.com
149. destination.dgi.is
150. dinfotechs.com
151. insolvenzthemen.de
152. jeanscolors.com
153. kafrawifood.com
154. mingalarorchidfamily.com
155. rangsay.com
156. storiafrica.com
157. sultanaexecutive.com
158. thehaider.com
159.  
160. HANCITOR MALDOC FILE HASHES
161. 0ab4d245656e7919ba74ebda307945ce
162. 213bb37c2d1c824f33a9c590f820bdb8
163. 392fc3d980b07be74eb27eb133ac48ae
164. 46c447f115f1e12890ce8e671674feab
165. 5faf696b558d1c4e7f5ee43c32ee6f2b
166. 644cae9eddc369ad967fda0669a6f53d
167. 9356504a6a8d79d51aa95230673bf131
168. 967799fa39f90847507ef1853f1724c2
169. bb0246e7ac3697afcb4ce8e47d204756
170. dd40635ba026133a8d16f68357ec8589
171.  
172. HANCITOR PAYLOAD FILE HASH
173. niberius.dll
174. 76bbdd2beb9c8fbddce8ea9759c6656f
175.  
176. HANCITOR C2
177. http://duclowtionly.ru/8/forum.php
178. http://raeonoran.com/8/forum.php
179. http://unteladenad.ru/8/forum.php
180.  
181. FICKER STEALER DOWNLOAD URL
182. http://rar1tet.ru/7sdf43fs.exe
183.  
184. FICKER STEALER FILE HASH
185. 7sdf43fs.exe
186. 270c3859591599642bd15167765246e3
187.  
188. FICKER C2
189. http://pospvisis.com
190.  
191. COBALT STRIKE STAGER PAYLOAD URLS
192. http://rar1tet.ru/3006.bin
193. http://rar1tet.ru/3006s.bin
194.  
195. COBALT STRIKE STAGER FILE HASHES
196. 3006.bin
197. 33033e4dbe92a9946d9ef2bc9e418572
198.  
199. 3006s.bin
200. d02f6490851abf56419b9e72621316d7
201.  
202. COBALT STRIKE BEACON FILE HASH
203. SyDL
204. 7d0af120c4da85357de4156244641812
205.  
206. COBALT STRIKE BEACON
207. http://216.250.248.91/SyDL
208.  
209. COBALT STRIKE C2
210. http://216.250.248.91/cm
211.  
212. ADDITIONAL COBALT STRIKE URLS FROM MEMORY STRINGS
213. https://216.250.248.91/g.pixel
214. https://216.250.248.91/WXbK