API tools faq
paste
Advertisement
ExecuteMalware

2021-03-24 Hancitor IOCs

ExecuteMalware
Mar 24th, 2021
4,188
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.09 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: HANCITOR
  2.  
  3. HANCITOR BUILD
  4. BUILD=2203_78291
  5.  
  6. SUBJECTS OBSERVED
  7. You got invoice from DocuSign Electronic Service
  8. You got invoice from DocuSign Electronic Signature Service
  9. You got invoice from DocuSign Signature Service
  10. You got notification from DocuSign Electronic Signature Service
  11. You got notification from DocuSign Service
  12. You got notification from DocuSign Signature Service
  13. You received invoice from DocuSign Electronic Service
  14. You received invoice from DocuSign Signature Service
  15. You received notification from DocuSign Electronic Service
  16. You received notification from DocuSign Electronic Signature Service
  17. You received notification from DocuSign Service
  18.  
  19. SENDERS OBSERVED
  20. a@snowbustersllc.com
  21. apanazj@snowbustersllc.com
  22. buhujy@snowbustersllc.com
  23. cixfyli@snowbustersllc.com
  24. dneexae@snowbustersllc.com
  25. ee@snowbustersllc.com
  26. fiuqola@snowbustersllc.com
  27. fo@snowbustersllc.com
  28. hbyhj@snowbustersllc.com
  29. hsuly@snowbustersllc.com
  30. le@snowbustersllc.com
  31. mwuqsao@snowbustersllc.com
  32. p@snowbustersllc.com
  33. posikyn@snowbustersllc.com
  34. qa@snowbustersllc.com
  35. tbcye@snowbustersllc.com
  36. tcwapui@snowbustersllc.com
  37. uhoywe@snowbustersllc.com
  38. um@snowbustersllc.com
  39. umixy@snowbustersllc.com
  40. wado@snowbustersllc.com
  41. wgvkxed@snowbustersllc.com
  42. xh@snowbustersllc.com
  43. xy@snowbustersllc.com
  44. yvecdam@snowbustersllc.com
  45.  
  46. MALDOC LANDING PAGES
  47. https://docs.google.com/document/d/e/2PACX-1vQ2QmKqpFfogMSVC5PaSsaG3aYVVrlpRk5ykUbi4euELKRWoMNEZIOQsqBXQ2iP0gaA9PyhSQP1dTJx/pub
  48. https://docs.google.com/document/d/e/2PACX-1vQ4zote8gEuHaMs_vq9T8da8zIiArW7owRrmCXq56oiiN_XtlqE9-QVf7mCKoH8GYYiFp2G_65s7bq1/pub
  49. https://docs.google.com/document/d/e/2PACX-1vQedoqW845ToRk9H2w8AuC9uYd37RUAWv33AlX_K_SVMdVPhKe71NT74Q7UWbuwIcxV5BndF7VpmO_3/pub
  50. https://docs.google.com/document/d/e/2PACX-1vQF_sUZFmDtOy6tIeFLHWGEbDS497ZKcFVMv013ITSf_kLqsrCxwwPmIvCkIg5gv-pT7rb-YZKfyOmI/pub
  51. https://docs.google.com/document/d/e/2PACX-1vR6wLZmg3E34qGmiQvsLA0jhwAOr5_V5cMXtum2FrGxR-rFMYbNFVoW32ItFaV2e4s8bceF5N6IOAhT/pub
  52. https://docs.google.com/document/d/e/2PACX-1vRA1hRnQ5LijEc6DLtlGdX4NOa1KTLETUI0WciyQXVZdpcMDho3ZKSMprljuCjQkoFx9FBHwpy0oQvQ/pub
  53. https://docs.google.com/document/d/e/2PACX-1vRAt8uzl1p62_2T6X-CDHb0iYDE_UZOAM5Y0NLbdZIbJ4XpI1t-Ist6HpnCusCSRjOSN0IsKWqr-4pe/pub
  54. https://docs.google.com/document/d/e/2PACX-1vRfQ2VQjCBTTRKsu1XfjG-2W_M6V0impjsV_-mjmUKxvzqImizIg4vmFHNLKWUXx3n_GbO9YgBB_uxl/pub
  55. https://docs.google.com/document/d/e/2PACX-1vRhgT8a4ZKzUbsxthYJXGHMuovSqml6q6cJAirtgygKRsE5Lq6aTpjKiOKdK19UfoywMflcaFgYuz1v/pub
  56. https://docs.google.com/document/d/e/2PACX-1vRNIG5voGdaWw6mofrJaA4L1T0KAoma-9H2fD1wFOgxxHZbII0O0FoqYaSdVFsTsBzJJFkhHpjjtgrk/pub
  57. https://docs.google.com/document/d/e/2PACX-1vRTr82FbM795Fniqq0Se-Ib9S2eu35C2EuoXBhSoje1gSozIXrdUZDEYmRupgmF3F5SOKEwB02dLZsb/pub
  58. https://docs.google.com/document/d/e/2PACX-1vRum3WLrjl61awoawdPXeS223ntq50ClQHWeCXXnwwLdMKMcuNmtWuVdYR_nUyo486PjEXH_9LmlQ3n/pub
  59. https://docs.google.com/document/d/e/2PACX-1vSDdQ-bJDFns_M8Z9xR_Qbc1BAXUmqZaSVbdCdH2CgAEEoeZwmspFu5VWSTIqBab64_CsdMZYPZQCR4/pub
  60. https://docs.google.com/document/d/e/2PACX-1vSe94VNCk9NYSFlc0VpxT9XsONIYaQgJbK0xoxjufn49REZr_LcpIb3tjaq6_jwvA1X3FsL5CzZGOv6/pub
  61. https://docs.google.com/document/d/e/2PACX-1vSjdtqS08PUs_hXHi39N5mF8nCj3lI5f2ZWrmghJ9blZbyOahGolAEY02u45IWTqwGRLBJVMW9oB9Ah/pub
  62. https://docs.google.com/document/d/e/2PACX-1vSq4Yn3nN3UfNO7z65n9rMwZ1oQrHM27QSe-6Hp6hS6s-aSm5eDbrV_SJpWwhRf-7HT6C-Qz4SRGJvC/pub
  63. https://docs.google.com/document/d/e/2PACX-1vSQmg3YFKWCexKvJSUEPUIpYZlm3xH08Oc3PCGtscIo99TLRpQX186XHiLa0NCRzWskXGeho6XErspY/pub
  64. https://docs.google.com/document/d/e/2PACX-1vSurUbKdti2dNpxYp4yUU4N810uy-6j6yPeDQAGi-hrmK-zbXoWfM-ZI5cZBGz7hFHSF5shMy70bf1L/pub
  65. https://docs.google.com/document/d/e/2PACX-1vSW8VQwi4g97jnGUEBzPRoIgBnWLGbJYoJ5NuaqSAgUQmnZR3Gk-aX2JREu3xQDpXiuqMLIDuxgPDRK/pub
  66. https://docs.google.com/document/d/e/2PACX-1vSzzBabP5pDKOaS0IhroC7BT_ngOy3gbIBif9qTJ0hh0Q6SIzo8QtRqEWdHdwy770L44lrdGrz6URZM/pub
  67. https://docs.google.com/document/d/e/2PACX-1vTatBAQkEH4gtEbsE7k0eD_n9hvFCBLgjZlLm3x615XorlugjVlJnup0q9BR0stQlE3Y87qcAYIHVhA/pub
  68. https://docs.google.com/document/d/e/2PACX-1vTedYR0WfOe7OPtEEBkrsHiCvzyVrfZBKtKQhPXc3lAIUPpyhSXuU_rToHgyHDGippy1wbBv97iQLp3/pub
  69. https://docs.google.com/document/d/e/2PACX-1vTsjpTTQl8I0UNQHiqIu29gRqWsGTS7hkKPUKrHkLWlV976zSGINvz0QIwn8LzDx7GSmtCWANdrkIWC/pub
  70. https://docs.google.com/document/d/e/2PACX-1vTYhYPSVBUhft26DKSFpf7EAQlS0BjzRmQIazKc3rLPEJmP08Ev7AF7ZLLLYCzod-Oh38YmMF8HZ8Y7/pub
  71.  
  72. MALDOC DISTRIBUTION URLS
  73. https://cluebazar.com/atrocious.php
  74. https://cluebazar.com/reassembly.php
  75. https://erp.focusgroupbd.com/preparatory.php
  76. https://livenetworks.com.br/lift.php
  77. https://locequipamentosbh.com.br/bowlegged.php
  78. https://softwareride.com/public/template/plugins/datatables-fixedcolumns/css/astonishes.php
  79. https://uniquewebservice.com/peonage.php
  80. https://webworks.nepila.com/analgesic.php
  81. https://www.oacts.com/stevedoring.php
  82. https://www.razwerks.com/empiric.php
  83. https://www.razwerks.com/plural.php
  84. https://www.razwerks.com/rah.php
  85.  
  86. cluebazar.com
  87. focusgroupbd.com
  88. livenetworks.com.br
  89. locequipamentosbh.com.br
  90. nepila.com
  91. oacts.com
  92. razwerks.com
  93. softwareride.com
  94. uniquewebservice.com
  95.  
  96. HANCITOR MALDOC FILE HASHES
  97. e960bb72d2fde613916fec3938903f73
  98. a2502fa1b2f7c3ee10ba464ea105c74c
  99. eff9684639bef068eb2973f6e3cc4ac4
  100. 38fb95d9e5aebb9de5337a877b348417
  101. 4aad8d4b96002e1f0ec67c5738a97ff9
  102. 9b41f55a0aaf7a3027dc9a81cba9c904
  103. 1ceb6115bb50ba5e401af7993cf5b2a7
  104. 0f88577f54d19eb2503a44830aee29ce
  105.  
  106. HANCITOR PAYLOAD FILE HASH
  107. Static.dll
  108. 5eaea1f20e237257dadfd96e597d8ef4
  109.  
  110. HANCITOR C2
  111. http://tricilidiany.com/8/forum.php
  112. http://intaticducalso.ru/8/forum.php
  113. http://gloporiente.ru/8/forum.php
  114.  
  115. FICKER STEALER PAYLOAD URLS
  116. http://g1smurt.ru/6jiuu8934u.exe
  117.  
  118. FICKER STEALER FILE HASH
  119. 6jiuu8934u.exe
  120. 77be0dd6570301acac3634801676b5d7
  121.  
  122. FICKER STEALER C2
  123. http://sweyblidian.com
  124.  
  125. COBALT STRIKE DOWNLOAD URLS
  126. http://g1smurt.ru/2303.bin
  127. http://g1smurt.ru/2303s.bin
  128.  
  129. COBALT STRIKE FILE HASHES
  130. 2303.bin
  131. 07a39d514646abe8efc39e930dbf74b1
  132.  
  133. 2303s.bin
  134. 461353de6e2edda219692b64d08a55e7
  135.  
  136. COBALT STRIKE TRAFFIC
  137. http://74.50.60.96/9Wic
  138. http://74.50.60.96/visit.js
  139.  
  140. 9Wic
  141. 72326b9238c305a45cf387ce2141d659
  142.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!