2021-07-06 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
2.  
3. HANCITOR BUILD NUMBER
4. BUILD=0607_qxwd0
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Service
10. You got invoice from DocuSign Signature Service
11. You got notification from DocuSign Electronic Service
12. You got notification from DocuSign Electronic Signature Service
13. You got notification from DocuSign Service
14. You got notification from DocuSign Signature Service
15. You received invoice from DocuSign Electronic Service
16. You received invoice from DocuSign Electronic Signature Service
17. You received invoice from DocuSign Service
18. You received invoice from DocuSign Signature Service
19. You received notification from DocuSign Electronic Service
20. You received notification from DocuSign Electronic Signature Service
21. You received notification from DocuSign Service
22. You received notification from DocuSign Signature Service
23.  
24. SENDERS OBSERVED
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60. [email protected]
61. [email protected]
62. [email protected]
63. [email protected]
64. [email protected]
65. [email protected]
66. [email protected]
67. [email protected]
68. [email protected]
69. [email protected]
70. [email protected]
71. [email protected]
72. [email protected]
73. [email protected]
74. [email protected]
75. [email protected]
76. [email protected]
77. [email protected]
78. [email protected]
79. [email protected]
80. [email protected]
81. [email protected]
82. [email protected]
83. [email protected]
84. [email protected]
85. [email protected]
86. [email protected]
87. [email protected]
88. [email protected]
89. [email protected]
90. [email protected]
91. [email protected]
92. [email protected]
93. [email protected]
94.  
95. MALDOC PROXY DISTRIBUTION URLS
96. http://feedproxy.google.com/~r/akgtot/~3/JBG3NcDQ-jE/sphinx.php
97. http://feedproxy.google.com/~r/bpvrl/~3/L1-mu8j17io/detour.php
98. http://feedproxy.google.com/~r/ckfgxig/~3/-fLudX5EIs4/invertor.php
99. http://feedproxy.google.com/~r/cpizxgy/~3/1HE1NbHNq7A/palmistry.php
100. http://feedproxy.google.com/~r/dormeqi/~3/1GYCuBEa_rU/inflammatory.php
101. http://feedproxy.google.com/~r/dvhvrgpejq/~3/yJHdwZsuupo/cognizance.php
102. http://feedproxy.google.com/~r/eyibvrmmeae/~3/yCm4BBw49oU/biochemical.php
103. http://feedproxy.google.com/~r/fsgiqoehl/~3/BmekNNLZ6s8/sandy.php
104. http://feedproxy.google.com/~r/fyarc/~3/F9hpBVqYr8Y/extort.php
105. http://feedproxy.google.com/~r/hfozsby/~3/S_7iIz8f4G4/trolley.php
106. http://feedproxy.google.com/~r/hhfgijfx/~3/VtvveFyEpTE/drench.php
107. http://feedproxy.google.com/~r/hvkpeje/~3/E_jZP26mTvI/diction.php
108. http://feedproxy.google.com/~r/hzcvgzre/~3/fwiZs3G9FJE/tubbiness.php
109. http://feedproxy.google.com/~r/izalif/~3/N3pM4eAAQ2k/peaceably.php
110. http://feedproxy.google.com/~r/khjkpgcysv/~3/hGtK6HPmL8U/wrathful.php
111. http://feedproxy.google.com/~r/ksaankkbze/~3/t_GafwZvGAY/halo.php
112. http://feedproxy.google.com/~r/lctuhe/~3/z_dZFLETTrU/abye.php
113. http://feedproxy.google.com/~r/lewgc/~3/3fEoC5LdR4o/dour.php
114. http://feedproxy.google.com/~r/ljccejij/~3/yVRSn0tU6RM/maim.php
115. http://feedproxy.google.com/~r/ltrbtk/~3/8xNPK-mTOrA/refugee.php
116. http://feedproxy.google.com/~r/mbludriihy/~3/8P6AfpR3t1I/dirt.php
117. http://feedproxy.google.com/~r/mmkvlqzh/~3/kQ9is7Edr8s/smoothed.php
118. http://feedproxy.google.com/~r/mprtvxwlq/~3/p0RKlbltAmw/garret.php
119. http://feedproxy.google.com/~r/nhtgwnsb/~3/qmg23XQgCAM/populism.php
120. http://feedproxy.google.com/~r/ozuim/~3/8ZnvBmKOZ1w/shed.php
121. http://feedproxy.google.com/~r/payaey/~3/FVcF30V-Tmc/suit.php
122. http://feedproxy.google.com/~r/pgxkj/~3/UwO3wgJKU6o/assorted.php
123. http://feedproxy.google.com/~r/qowvyxb/~3/iezQJeoO2fA/mausoleum.php
124. http://feedproxy.google.com/~r/qtqoftapvct/~3/5LalLw4O6HI/ridiculously.php
125. http://feedproxy.google.com/~r/qugrztxnale/~3/KVWz_XsafSM/baron.php
126. http://feedproxy.google.com/~r/sjmxqp/~3/r14ADW--pRA/chiefly.php
127. http://feedproxy.google.com/~r/swumkhxrvs/~3/iezQJeoO2fA/mausoleum.php
128. http://feedproxy.google.com/~r/tiarstrmlvx/~3/WjBZUdL3snA/concede.php
129. http://feedproxy.google.com/~r/timsoijk/~3/dP1iTN_9Mcg/ratter.php
130. http://feedproxy.google.com/~r/vytrgpamt/~3/JBG3NcDQ-jE/sphinx.php
131. http://feedproxy.google.com/~r/wgrteifbafz/~3/WTBFILZEQVQ/serigraph.php
132. http://feedproxy.google.com/~r/wrdxgk/~3/cyCrDCnJn8s/ornamental.php
133. http://feedproxy.google.com/~r/wtnugfmd/~3/dhuf1HgEA9E/rearranged.php
134. http://feedproxy.google.com/~r/wvbqpy/~3/vCSnNSDaPSc/genocide.php
135. http://feedproxy.google.com/~r/wvswwxmigba/~3/cEQ5jAxt9vU/warped.php
136. http://feedproxy.google.com/~r/wwhyfoo/~3/o3hFfKBDDc4/chair.php
137. http://feedproxy.google.com/~r/wwlarxs/~3/h2M9fFM_Itc/wriggler.php
138. http://feedproxy.google.com/~r/wxsrtgyd/~3/jdXMN6sNoKc/fatalities.php
139. http://feedproxy.google.com/~r/wxujtw/~3/5LalLw4O6HI/ridiculously.php
140. http://feedproxy.google.com/~r/xzpsdlt/~3/0zoXxC1wFyY/pursing.php
141. http://feedproxy.google.com/~r/yknempiq/~3/yCm4BBw49oU/biochemical.php
142. http://feedproxy.google.com/~r/znaiyaykz/~3/3egTwGNq0jM/infirmary.php
143. http://feedproxy.google.com/~r/ztdrghxwy/~3/mKRlj4h9B0U/antipodal.php
144.  
145. MALDOC REDIRECT DOWNLOAD URLS
146. http://24gramhealth.com/detour.php
147. http://24gramhealth.com/genocide.php
148. http://24gramhealth.com/populism.php
149. http://an.nastena.lv/garret.php
150. http://an.nastena.lv/inflammatory.php
151. http://an.nastena.lv/shed.php
152. http://destination.dgi.is/chiefly.php
153. http://destination.dgi.is/invertor.php
154. http://destination.dgi.is/ratter.php
155. http://destination.dgi.is/ridiculously.php
156. http://destination.dgi.is/suit.php
157. http://farmranch.mx/wriggler.php
158. http://grecozenobi.com.ar/ornamental.php
159. http://grecozenobi.com.ar/sphinx.php
160. http://greechip.net/biochemical.php
161. http://gunsify.com/baron.php
162. http://live.gssl.email/halo.php
163. http://live.gssl.email/mausoleum.php
164. http://mail.juvilis.ca/palmistry.php
165. http://maoptions.xyz/abye.php
166. http://mustangfastback.wireditsolutions.com.au/maim.php
167. http://mustangfastback.wireditsolutions.com.au/pursing.php
168. http://new.novapilates.com/chair.php
169. http://nextclickcorp.net/smoothed.php
170. http://omsteelgroup.in/dour.php
171. http://omsteelgroup.in/rearranged.php
172. http://seatranscorp.com/cognizance.php
173. http://sofitra-hightech.com/drench.php
174. http://sofitra-hightech.com/warped.php
175. http://sportsrunouts.com/diction.php
176. http://sportsrunouts.com/fatalities.php
177. http://stock.moltechnologies.com/extort.php
178. http://takeout-app.com/peaceably.php
179. http://takeout-app.com/sandy.php
180. http://turquoisecoaching.co.uk/concede.php
181. http://turquoisecoaching.co.uk/dirt.php
182. http://virfilms.in/assorted.php
183. http://virfilms.in/serigraph.php
184. http://virfilms.in/tubbiness.php
185. http://vivo.com.pk/antipodal.php
186. http://vivo.com.pk/wrathful.php
187. https://file.tianshuyu.top/refugee.php
188. https://www.adstudiophotography.com/infirmary.php
189. https://www.adstudiophotography.com/trolley.php
190.  
191. 24gramhealth.com
192. adstudiophotography.com
193. an.nastena.lv
194. destination.dgi.is
195. farmranch.mx
196. file.tianshuyu.top
197. grecozenobi.com.ar
198. greechip.net
199. gunsify.com
200. live.gssl.email
201. mail.juvilis.ca
202. maoptions.xyz
203. mustangfastback.wireditsolutions.com.au
204. new.novapilates.com
205. nextclickcorp.net
206. omsteelgroup.in
207. seatranscorp.com
208. sofitra-hightech.com
209. sportsrunouts.com
210. stock.moltechnologies.com
211. takeout-app.com
212. turquoisecoaching.co.uk
213. virfilms.in
214. vivo.com.pk
215.  
216. HANCITOR MALDOC FILE HASHES
217. 025078292aee21fa56cb7f20ec6d4a62
218. 0b61b7cac9776d9cd2e5380a659e541b
219. 19ca475a43a95f2543750a46d4f09f4b
220. 2b2770712a21624dea13832f9a8f695f
221. b1a57b1a512c238391ae6638970e182f
222. bc7c80f02dc87d01105355be3d3a0f22
223. cf341c78541df3e6461625e58c22316f
224. d14e2dc37f9d3f1913cfb5b1ddcb1159
225. d5e25c333ed6b914038948d77996a4de
226. fec1808861e804fbdff31ca922f5dbcc
227.  
228. HANCITOR PAYLOAD FILE HASH
229. niberius.dll
230. 90e51ee20c33ea576696ca59a524893e
231.  
232. HANCITOR C2
233. http://hosouggs.com/8/forum.php
234. http://mancause.ru/8/forum.php
235. http://hievescits.ru/8/forum.php
236.  
237. FICKER STEALER DOWNLOAD URL
238. http://kubantr0.ru/7gfdg5egds.exe
239.  
240. FICKER STEALER FILE HASH
241. 7gfdg5egds.exe
242. 270c3859591599642bd15167765246e3
243.  
244. FICKER C2
245. http://pospvisis.com
246.  
247. COBALT STRIKE STAGER PAYLOAD URLS
248. http://kubantr0.ru/0607.bin
249. http://kubantr0.ru/0607s.bin
250.  
251. COBALT STRIKE STAGER FILE HASHES
252. 0607.bin
253. c7b8743c7c77067d6203263f104a8f14
254.  
255. 0607s.bin
256. 1c89a0d567fb2b5d91f51fbe77c27016
257.  
258. COBALT STRIKE BEACON DOWNLOAD URLS
259. http://158.51.96.24/QTnI
260.  
261. COBALT STRIKE BEACON FILE HASH
262. QTnI
263. 11f2b1c1309ca74cbf4873d5d90ed35c
264.  
265. COBALT STRIKE C2
266. http://158.51.96.24/pixel.gif
267.  
268. ADDITIONAL COBALT STRIKE URLS FROM MEMORY STRINGS
269. https://158.51.96.24/2cYn
270. https://158.51.96.24/ga.js
271.