2021-08-03 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=0308_spnv5
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You got notification from DocuSign Service
14. You got notification from DocuSign Signature Service
15. You received invoice from DocuSign Electronic Service
16. You received invoice from DocuSign Electronic Signature Service
17. You received invoice from DocuSign Service
18. You received invoice from DocuSign Signature Service
19. You received notification from DocuSign Electronic Service
20. You received notification from DocuSign Electronic Signature Service
21. You received notification from DocuSign Service
22. You received notification from DocuSign Signature Service
23.  
24. SENDERS OBSERVED
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63. [email protected]
64. [email protected]
65. [email protected]
66. [email protected]
67. [email protected]
68. [email protected]
69. [email protected]
70. [email protected]
71. [email protected]
72. [email protected]
73. [email protected]
74. [email protected]
75. [email protected]
76. [email protected]
77. [email protected]
78. [email protected]
79. [email protected]
80. [email protected]
81. [email protected]
82. [email protected]
83. [email protected]
84. [email protected]
85. [email protected]
86. [email protected]
87. [email protected]
88. [email protected]
89. [email protected]
90. [email protected]
91. [email protected]
92. [email protected]
93. [email protected]
94. [email protected]
95. [email protected]
96. [email protected]
97. [email protected]
98. [email protected]
99. [email protected]
100. [email protected]
101. [email protected]
102. [email protected]
103. [email protected]
104. [email protected]
105. [email protected]
106. [email protected]
107. [email protected]
108. [email protected]
109. [email protected]
110. [email protected]
111. [email protected]
112. [email protected]
113. [email protected]
114. [email protected]
115. [email protected]
116. [email protected]
117. [email protected]
118. [email protected]
119. [email protected]
120. [email protected]
121. [email protected]
122. [email protected]
123. [email protected]
124. [email protected]
125. [email protected]
126. [email protected]
127. [email protected]
128. [email protected]
129. [email protected]
130. [email protected]
131. [email protected]
132. [email protected]
133. [email protected]
134. [email protected]
135. [email protected]
136. [email protected]
137. [email protected]
138. [email protected]
139. [email protected]
140. [email protected]
141. [email protected]
142. [email protected]
143. [email protected]
144. [email protected]
145. [email protected]
146. [email protected]
147. [email protected]
148. [email protected]
149. [email protected]
150. [email protected]
151. [email protected]
152. [email protected]
153. [email protected]
154. [email protected]
155. [email protected]
156. [email protected]
157. [email protected]
158. [email protected]
159. [email protected]
160. [email protected]
161. [email protected]
162. [email protected]
163. [email protected]
164. [email protected]
165. [email protected]
166. [email protected]
167. [email protected]
168. [email protected]
169. [email protected]
170. [email protected]
171. [email protected]
172. [email protected]
173. [email protected]
174. [email protected]
175. [email protected]
176. [email protected]
177. [email protected]
178. [email protected]
179. [email protected]
180. [email protected]
181. [email protected]
182. [email protected]
183. [email protected]
184. [email protected]
185. [email protected]
186. [email protected]
187. [email protected]
188. [email protected]
189. [email protected]
190. [email protected]
191. [email protected]
192. [email protected]
193. [email protected]
194. [email protected]
195. [email protected]
196. [email protected]
197. [email protected]
198. [email protected]
199. [email protected]
200. [email protected]
201. [email protected]
202. [email protected]
203. [email protected]
204. [email protected]
205. [email protected]
206. [email protected]
207. [email protected]
208. [email protected]
209. [email protected]
210. [email protected]
211. [email protected]
212. [email protected]
213. [email protected]
214. [email protected]
215. [email protected]
216. [email protected]
217. [email protected]
218. [email protected]
219. [email protected]
220. [email protected]
221. [email protected]
222. [email protected]
223. [email protected]
224. [email protected]
225. [email protected]
226. [email protected]
227. [email protected]
228. [email protected]
229. [email protected]
230. [email protected]
231. [email protected]
232. [email protected]
233. [email protected]
234. [email protected]
235. [email protected]
236. [email protected]
237. [email protected]
238. [email protected]
239. [email protected]
240. [email protected]
241. [email protected]
242. [email protected]
243. [email protected]
244. [email protected]
245. [email protected]
246. [email protected]
247. [email protected]
248. [email protected]
249. [email protected]
250. [email protected]
251. [email protected]
252. [email protected]
253. [email protected]
254. [email protected]
255. [email protected]
256. [email protected]
257. [email protected]
258. [email protected]
259. [email protected]
260. [email protected]
261. [email protected]
262. [email protected]
263. [email protected]
264. [email protected]
265. [email protected]
266. [email protected]
267. [email protected]
268. [email protected]
269. [email protected]
270. [email protected]
271. [email protected]
272. [email protected]
273. [email protected]
274. [email protected]
275. [email protected]
276. [email protected]
277. [email protected]
278. [email protected]
279. [email protected]
280. [email protected]
281. [email protected]
282. [email protected]
283. [email protected]
284. [email protected]
285. [email protected]
286. [email protected]
287. [email protected]
288. [email protected]
289. [email protected]
290. [email protected]
291. [email protected]
292. [email protected]
293. [email protected]
294. [email protected]
295. [email protected]
296. [email protected]
297. [email protected]
298. [email protected]
299. [email protected]
300. [email protected]
301. [email protected]
302. [email protected]
303. [email protected]
304. [email protected]
305. [email protected]
306. [email protected]
307. [email protected]
308. [email protected]
309. [email protected]
310. [email protected]
311. [email protected]
312. [email protected]
313. [email protected]
314. [email protected]
315. [email protected]
316. [email protected]
317. [email protected]
318. [email protected]
319. [email protected]
320. [email protected]
321. [email protected]
322. [email protected]
323. [email protected]
324. [email protected]
325. [email protected]
326. [email protected]
327. [email protected]
328. [email protected]
329. [email protected]
330. [email protected]
331. [email protected]
332. [email protected]
333. [email protected]
334. [email protected]
335. [email protected]
336. [email protected]
337. [email protected]
338. [email protected]
339. [email protected]
340. [email protected]
341. [email protected]
342. [email protected]
343. [email protected]
344. [email protected]
345. [email protected]
346. [email protected]
347. [email protected]
348. [email protected]
349. [email protected]
350. [email protected]
351. [email protected]
352. [email protected]
353. [email protected]
354. [email protected]
355. [email protected]
356. [email protected]
357. [email protected]
358. [email protected]
359. [email protected]
360. [email protected]
361. [email protected]
362. [email protected]
363. [email protected]
364. [email protected]
365. [email protected]
366. [email protected]
367. [email protected]
368. [email protected]
369. [email protected]
370. [email protected]
371. [email protected]
372. [email protected]
373. [email protected]
374. [email protected]
375. [email protected]
376. [email protected]
377. [email protected]
378. [email protected]
379. [email protected]
380. [email protected]
381. [email protected]
382. [email protected]
383. [email protected]
384. [email protected]
385. [email protected]
386. [email protected]
387. [email protected]
388. [email protected]
389. [email protected]
390. [email protected]
391.  
392. MALDOC PROXY DISTRIBUTION URLS
393. feedproxy.google.com/~r/llyvx/~3/1HPbx2QTN34/big.php
394. feedproxy.google.com/~r/pnuihnlrne/~3/fFNPamI_rn4/stillbirth.php
395. feedproxy.google.com/~r/tulwjeay/~3/rMQGXOVy-3U/quizzicalness.php
396. feedproxy.google.com/~r/gepgyjncs/~3/WgltbaxkTK0/dame.php
397. feedproxy.google.com/~r/cglvzs/~3/14in7hXkVpk/lombardic.php
398. feedproxy.google.com/~r/jnkdl/~3/c0JU-e5KhfU/teachable.php
399. feedproxy.google.com/~r/obqzuacvxdu/~3/YjNhfl62jyM/unlabelled.php
400. feedproxy.google.com/~r/yjpfbsue/~3/EsChJZogZGs/tractability.php
401. feedproxy.google.com/~r/pccktuvx/~3/B6ffek3xi84/unsophisticated.php
402. feedproxy.google.com/~r/mnqwvrz/~3/NeQSL1PG4cw/hitherto.php
403. feedproxy.google.com/~r/hkqsdntbyym/~3/ATRcrg7bF64/transistor.php
404.  
405. MALDOC REDIRECT DOWNLOAD URLS
406. https://bridgeroad.maverickpreviews.com/quizzicalness.php
407. https://demo.sms.uproducts.in/lombardic.php
408. https://nicelyeg.com/stillbirth.php
409. https://thiagoribeirokungfu.com/hitherto.php
410. https://www.cutting-edge.in/unlabelled.php
411. https://www.mimejorprecioford.com/transistor.php
412.  
413. cutting-edge.in
414. maverickpreviews.com
415. mimejorprecioford.com
416. nicelyeg.com
417. thiagoribeirokungfu.com
418. uproducts.in
419.  
420. MALDOC FILE HASHES
421. 16885d6a4357b2589c61fbc9a2c725a2
422. 1b64dc1f33508390eedf55d1c7df9a8b
423. 32900dbc203bf7aa955788b7c7749955
424. 52ee14e0cb8aebde975c3b269494fc37
425. 9d056cda0c3873efb5ac0f56c3028ab1
426.  
427. HANCITOR PAYLOAD FILE HASH
428. ier.dll
429. d7c87a735968d424d5c0aa2794d23657
430.  
431. HANCITOR C2
432. http://arviskeist.ru/8/forum.php
433. http://priekornat.com/8/forum.php
434. http://stionsomi.ru/8/forum.php
435.  
436. FICKER STEALER DOWNLOAD URL
437. http://fiom65pre.ru/7sdjhui32sof.exe
438.  
439. FICKER STEALER FILE HASH
440. 7sdjhui32sof.exe
441. 270c3859591599642bd15167765246e3
442.  
443. FICKER STEALER C2
444. http://pospvisis.com
445.  
446. COBALT STRIKE STAGER DOWNLOAD URLS
447. http://fiom65pre.ru/0308.bin
448. http://fiom65pre.ru/0308s.bin
449.  
450. COBALT STRIKE STAGER FILE HASHES
451. 0308.bin
452. 3a70e1933703eec9d17e92328d558854
453.  
454. 0308s.bin
455. 6ebc14bf77c7f58d680b13af884fee23
456.  
457. COBALT STRIKE BEACON DOWNLOAD URL
458. http://45.176.188.217/Kbv9
459. https://45.176.188.217/YcPP
460.  
461. COBALT STRIKE BEACON FILE HASH
462. Kbv9
463. 017c19c9ef76a8ce0f89468dc7cc57d5
464.  
465. YcPP
466. c756344c9374efac7a35c8345388346f
467.  
468. COBALT STRIKE C2
469. http://45.176.188.217/g.pixel
470. https://45.176.188.217/updates.rss
471.  
472. COBALT STRIKE POST URI
473. http://45.176.188.217/submit.php?id=483523938
474.  
475. COBALT STRIKE STRIKE BEACON CONFIGS (from Didier Stevens' 1768 tool)
476. Kbv9 Beacon Config
477. 36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
478. 0x0008 server,get-uri 0x0003 0x0100 '45.176.188.217,/g.pixel'
479. 0x0043 0x0001 0x0002 0
480. 0x0044 0x0002 0x0004 4294967295
481. 0x0045 0x0002 0x0004 4294967295
482. 0x0046 0x0002 0x0004 4294967295
483. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
484. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
485. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
486. 0x001f CryptoScheme 0x0001 0x0002 0
487. 0x001a get-verb 0x0003 0x0010 'GET'
488. 0x001b post-verb 0x0003 0x0010 'POST'
489. 0x001c HttpPostChunk 0x0002 0x0004 0
490. 0x0025 license-id 0x0002 0x0004 0
491. 0x0026 bStageCleanup 0x0001 0x0002 0
492. 0x0027 bCFGCaution 0x0001 0x0002 0
493. 0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)'
494. 0x000a post-uri 0x0003 0x0040 '/submit.php'
495. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
496. 0x000c http_get_header 0x0003 0x0200
497. b'Cookie'
498. 0x000d http_post_header 0x0003 0x0200
499. b'&Content-Type: application/octet-stream'
500. b'id'
501. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
502. 0x0032 UsesCookies 0x0001 0x0002 1
503. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
504. 0x003a 0x0003 0x0080 '\x00\x04'
505. 0x0039 0x0003 0x0080 '\x00\x04'
506. 0x0037 0x0001 0x0002 0
507. 0x0028 killdate 0x0002 0x0004 0
508. 0x0029 textSectionEnd 0x0002 0x0004 0
509. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
510. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
511. 0x002d process-inject-min_alloc 0x0002 0x0004 0
512. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
513. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
514. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
515. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
516. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
517. 0x0000
518.  
519. YcPP Beacon Config
520. File: YcPP
521. xorkey(chain): 0x54811670
522. length: 0x00033400
523. payloadType: 0x10014fc2
524. payloadSize: 0x00000000
525. intxorkey: 0x00000000
526. id2: 0x00000000
527. Config found: xorkey b'.' 0x00030220 0x00033400
528. 0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https
529. 0x0002 port 0x0001 0x0002 443
530. 0x0003 sleeptime 0x0002 0x0004 60000
531. 0x0004 maxgetsize 0x0002 0x0004 1048576
532. 0x0005 jitter 0x0001 0x0002 0
533. 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
534. 0x0008 server,get-uri 0x0003 0x0100 '45.176.188.217,/updates.rss'
535. 0x0043 0x0001 0x0002 0
536. 0x0044 0x0002 0x0004 4294967295
537. 0x0045 0x0002 0x0004 4294967295
538. 0x0046 0x0002 0x0004 4294967295
539. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
540. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
541. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
542. 0x001f CryptoScheme 0x0001 0x0002 0
543. 0x001a get-verb 0x0003 0x0010 'GET'
544. 0x001b post-verb 0x0003 0x0010 'POST'
545. 0x001c HttpPostChunk 0x0002 0x0004 0
546. 0x0025 license-id 0x0002 0x0004 0
547. 0x0026 bStageCleanup 0x0001 0x0002 0
548. 0x0027 bCFGCaution 0x0001 0x0002 0
549. 0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MANM; MANM)'
550. 0x000a post-uri 0x0003 0x0040 '/submit.php'
551. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
552. 0x000c http_get_header 0x0003 0x0200
553. b'Cookie'
554. 0x000d http_post_header 0x0003 0x0200
555. b'&Content-Type: application/octet-stream'
556. b'id'
557. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
558. 0x0032 UsesCookies 0x0001 0x0002 1
559. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
560. 0x003a 0x0003 0x0080 '\x00\x04'
561. 0x0039 0x0003 0x0080 '\x00\x04'
562. 0x0037 0x0001 0x0002 0
563. 0x0028 killdate 0x0002 0x0004 0
564. 0x0029 textSectionEnd 0x0002 0x0004 0
565. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
566. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
567. 0x002d process-inject-min_alloc 0x0002 0x0004 0
568. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
569. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
570. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
571. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
572. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
573. 0x0000
574.  
575.  
576.