API tools faq
paste
ExecuteMalware

2021-03-03 Hancitor IOCs

ExecuteMalware
Mar 3rd, 2021
4,593
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.19 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: HANCITOR / COBALT STRIKE
  2.  
  3. HANCITOR BUILD
  4. BUILD=0303_trew30
  5.  
  6. SUBJECTS OBSERVED
  7. You got invoice from DocuSign Service
  8. You got notification from DocuSign Electronic Service
  9. You got notification from DocuSign Service
  10. You received invoice from DocuSign Electronic Service
  11. You received notification from DocuSign Electronic Service
  12. You received notification from DocuSign Electronic Signature Service
  13. You received notification from DocuSign Signature Service
  14.  
  15. SENDERS OBSERVED
  16. [email protected]
  17. [email protected]
  18. [email protected]
  19. [email protected]
  20. [email protected]
  21. [email protected]
  22. [email protected]
  23. [email protected]
  24. [email protected]
  25. [email protected]
  26. [email protected]
  27.  
  28. MALDOC LANDING PAGE URLS
  29. https://docs.google.com/document/d/e/2PACX-1vQk1Da72CGqMZMEQG6oXHSE3GPwcfO7p9ipdAFW6DwN1iOx5qhofWn-dtcAJEOHXYhG0X2qOjeEG9K_/pub
  30. https://docs.google.com/document/d/e/2PACX-1vQtmhc3dUYeRlP3Qa5f_W3pYqsLpm8GhMzKWXwtBrev1va6RwJoZa46B4H2eVtGkajMJ3_RqKMX5MpD/pub
  31. https://docs.google.com/document/d/e/2PACX-1vRIhEId8jUJXA0_0enaj-8glZbnQmE7CwK2_FcKwCFhOVZr9hAPTqX7xJO-gr6NcohKe34ick1DzlIV/pub
  32. https://docs.google.com/document/d/e/2PACX-1vRzObl6qf2Hjg43G9JDvah-BAW4aQ8rJFA53yTqIUHcmtpsTNtkiH07c10wI2Bxcghn75PtWBN8WmFU/pub
  33. https://docs.google.com/document/d/e/2PACX-1vSFFEX1QJHB2_opTC1-USc6NqPQvE01ZNa_lxUhGEOpxaD4x4RgF0dmDEgZ-yPxV5AAYY-SMMPkn8l2/pub
  34. https://docs.google.com/document/d/e/2PACX-1vSgt1N3W12ZP6TzDf4edMTib_0dOhJOgY0M3SBv1L2qLzZsBxkSaqRm869lmhxSrFTVZ_5Gj9d8_z8P/pub
  35. https://docs.google.com/document/d/e/2PACX-1vSj_YIia7nLWcShxEbD4KFvcuDKwkl9GZvEi9HAnVgPklkr4nUmT5VD4MDiFL2K3sMLJh2ukEpJER-T/pub
  36. https://docs.google.com/document/d/e/2PACX-1vSnfQTOjJ3LVldXHz6l8HbjyC8P0P7VDeSl_ol5HDdTCtGHFIPlchy58D17JBBdN3hiIj_jv7rIrYjT/pub
  37. https://docs.google.com/document/d/e/2PACX-1vTSYQe4Zi3QiKrYekM9RXdOYc4_X05PcGwsgFhpVbiwMPNvK92Phfki96ou9il7QrhOJy0VzwNcMbUi/pub
  38. https://docs.google.com/document/d/e/2PACX-1vTwIT1Y2B-FBRWxr_eyddj1pwOymlGd6BxwQl7OQ3SgTuKYXSAQO8q26wGDz96ZzjH_2vf4iPqAJlE9/pub
  39.  
  40. MALDOC DISTRIBUTION URLS
  41. https://cluebazar.com/popularization.php
  42. https://mail.daunhotmiendong.vn/craze.php
  43. https://crm.basilrealty.in/uxoriousness.php
  44.  
  45. basilrealty.in
  46. cluebazar.com
  47. daunhotmiendong.vn
  48.  
  49. HANCITOR MALDOC FILE HASHES
  50. 0303_11021160093261.doc
  51. 8d4d32d950ff5ea791848fefae0c35bb
  52.  
  53. 0303_9589344049041.doc
  54. 1523d0044c726a057844b09925362ade
  55.  
  56. HANCITOR PAYLOAD FILE HASH
  57. Static.dll
  58. 3f6a65b1cdd3a80bcf48d0df223070ed
  59.  
  60. HANCITOR C2
  61. http://mainctional.com/8/forum.php
  62. http://disrulaytin.ru/8/forum.php
  63. http://puldefletat.ru/8/forum.php
  64.  
  65. FICKER STEALER PAYLOAD URLS
  66. http://nvgeeforsegt.ru/6jhfa478.exe
  67.  
  68. FICKER STEALER FILE HASH
  69. 6jhfa478.exe
  70. 77be0dd6570301acac3634801676b5d7
  71.  
  72. FICKER STEALER C2
  73. http://sweyblidian.com
  74.  
  75. COBALT STRIKE PAYLOAD URLS
  76. http://nvgeeforsegt.ru/0303.bin
  77. http://nvgeeforsegt.ru/0303s.bin
  78.  
  79. COBALT STRIKE FILE HASHES
  80. 0303s.bin
  81. a46e64f8667a0c1dc2810c92c8453f91
  82.  
  83. 0303.bin
  84. d7c42ce4f084c429185b994bbdd2fb68
  85.  
  86. COBALT STRIKE TRAFFIC
  87. http://51.81.142.72/uNPI
  88. http://51.81.142.72/push
  89. http://51.81.142.72/submit.php?id=2063695750
  90.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!