2021-04-06 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. HANCITOR BUILD NUMBER
4. &BUILD=0504_khrn7
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Service
9. You got invoice from DocuSign Signature Service
10. You got notification from DocuSign Electronic Service
11. You got notification from DocuSign Electronic Signature Service
12. You got notification from DocuSign Service
13. You got notification from DocuSign Signature Service
14. You received invoice from DocuSign Electronic Service
15. You received invoice from DocuSign Electronic Signature Service
16. You received invoice from DocuSign Service
17. You received invoice from DocuSign Signature Service
18. You received notification from DocuSign Electronic Service
19. You received notification from DocuSign Electronic Signature Service
20. You received notification from DocuSign Signature Service
21.  
22. SENDERS OBSERVED
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43. [email protected]
44. [email protected]
45. [email protected]
46. [email protected]
47. [email protected]
48. [email protected]
49. [email protected]
50. [email protected]
51. [email protected]
52. [email protected]
53. [email protected]
54. [email protected]
55. [email protected]
56. [email protected]
57. [email protected]
58. [email protected]
59. [email protected]
60.  
61. MALDOC LANDING PAGE URLS
62. https://docs.google.com/document/d/e/2PACX-1vQ9XcRcgT1n0O7_Ata3ZoR2ZSs7v7u6Q1TGVMsOKX1SXEdHWOI3uzhWWAY5A07RMRk3-ry3_e1RJ4Yy/pub
63. https://docs.google.com/document/d/e/2PACX-1vQAI_OD4LRHilqUa8YupVfbR78HZIs6Usbh_gY7YgNsMGO5SLi65yDDnVS5I8_OM1yEqDbvYme4PbIR/pub
64. https://docs.google.com/document/d/e/2PACX-1vQGtiAUMQPqK18942rGSNpYfkobPiQ0fsNv9eGdAnVixmPgfr24Fkulx0_lU42vHTD0Wm500hyV_h43/pub
65. https://docs.google.com/document/d/e/2PACX-1vQJr9NtWzzmxkni7ckatWW5n5KZlCKuAyF20zLc40eHt9VcfRMfbxes8gVhva_oP-2x5onlwx9Z5jLc/pub
66. https://docs.google.com/document/d/e/2PACX-1vQKtVWt7lmHmqvgT_3TbwVppRqZSDph1DlVO6sYAmPglPDFcc2_3II2j_pKx9X7SGY_slO-sb6fHIJO/pub
67. https://docs.google.com/document/d/e/2PACX-1vQqTFHCCRDCxjDqC2ksjf1dF4ne0-zScp4SsH4VI2OjvyOXrLkJwgYtK426ZisxMaSj_lMW72-qeNII/pub
68. https://docs.google.com/document/d/e/2PACX-1vRaSmtpv316Grxbq4k_Ao6ciz7Xq12KQDcnC-JmcVT1cXjVI3hw5EVkbA1Ie1putCixClriNjI79v-0/pub
69. https://docs.google.com/document/d/e/2PACX-1vRDFpZMV2aSAm13Kla7MSDL1iEwlkNDq8rGsT3_8rAXF6gsaBQ84wU7RYB4mXEXsYq0gFDrLQGERnEl/pub
70. https://docs.google.com/document/d/e/2PACX-1vRf7lFvJnnmvjBpQS2hBk16jA94_iHRnMs7_xYGcWvJRi-2dQCXHeaKfjj8lqDcUmG8MbU2_XyfMn-a/pub
71. https://docs.google.com/document/d/e/2PACX-1vRgtRHpzv2mfl6Ii1z1V3saMlQiA4kRZbfMjd4glrDzXu4Mx7AO4RodFJgmJLcgOmgANDYsljDjYqNn/pub
72. https://docs.google.com/document/d/e/2PACX-1vRJtXpsUCiHladmThehUuaGaPvNA9VkmgdqSlBKpCcNT93cqeOFb0gjoR5KutH7f5_oeCKUg4EZMlzl/pub
73. https://docs.google.com/document/d/e/2PACX-1vRlEu9lSnGhf_x5JGkQJrFS5NWRi-88gXcAJa9yNdRzJoZm6FhGhM1mbMMTZo8HdZpHjLUv0WlKw0es/pub
74. https://docs.google.com/document/d/e/2PACX-1vS1pEmY5kmv4V6sQ7UNUMcwk18gsp6ETFzv6DGecZOXU19VK5P_NAiLY8_6Alfhe_TNykfEygD3i_UU/pub
75. https://docs.google.com/document/d/e/2PACX-1vSKOqk6ag67OHl2Mk54ADDVlXMdgwz_3Lqldx1EkPVehl9v_9ywxrqllLU4SjiZWSGSHGFJZb9bHG1p/pub
76. https://docs.google.com/document/d/e/2PACX-1vSM6GKqOeWjEh2PfR_H0dP8bvcTxOfjXsqVVnDL29ceMmSF4kz2uaDrvjyt1LwGF8ukmsCY-sMa34YN/pub
77. https://docs.google.com/document/d/e/2PACX-1vSOq6cS13HHkMKuFP8BKkZPed561DUyLwiskgy8uX02-6Uqei6imKgF8NS78Qv0r3WnjgROFbYgjyyD/pub
78. https://docs.google.com/document/d/e/2PACX-1vSU1rJa3yMtW6vXeihCzK695N-spOphRfwQ1iCiTuv4W8hNg3JSFTsRIsggd7l6kzuFwiVB0jKa5Y3g/pub
79. https://docs.google.com/document/d/e/2PACX-1vSw8vir5Y9plQkCuAxjgmVlTOnI671vIzs_6hLv4LM2MbxntUAtYjEudrkbM-Nmg6BZ1UH42GsOPBUy/pub
80. https://docs.google.com/document/d/e/2PACX-1vT7Nfz2LlFfe4OzGrLP-F-tEZXR1UfqsDcEOxxDd2HEa39gwxQxmiFtsfsdgCKxJ_3kIalFwed9Us7B/pub
81. https://docs.google.com/document/d/e/2PACX-1vT_q1IiiG31N5svdtCQuF91sQpC_8qKOKKqbf4WG_KOYr3tAsYOP0chCgznAn5jAUOBVKauu-9-N9Qi/pub
82. https://docs.google.com/document/d/e/2PACX-1vTku9R9HwOVre3LgWrw-myaxun_eudBpgvFFt_5Jh_l1RK8C8j9950SlLlG0r2IbWoG-JN1QYvsYYtl/pub
83. https://docs.google.com/document/d/e/2PACX-1vTqrWv-xt7Pe0yw22SdBCNHz3kXPWfqIoAPjbXHUE_sjUktRn7M8v-2d4g2jvyglSGt4EZGEXbecbXG/pub
84. https://docs.google.com/document/d/e/2PACX-1vTtwsSk4MWtsc4zgz8ZYvLDsH2Q4dJ4NLGUpVZu5OpMxa9bJxJ2IPePfZHGV2Jw80BkO0Yav_bUe1Sk/pub
85. https://docs.google.com/document/d/e/2PACX-1vTWADwvXDs2xfqC1DgH6RE7JJ_I0UAR1z9cF--Ta1tIhFHApIXg7lVLczwiOBfRhypgSwtGLOJprSMh/pub
86. https://docs.google.com/document/d/e/2PACX-1vTyhCYxQ8-QiGYJIFiCg9eKeYOVmgs2ciXS4gSDsaXz7cQaa7vBTtmjzsoLn8ruSWDgtBLWqmkXXQp3/pub
87. https://docs.google.com/document/d/e/2PACX-1vTzLp4KPycaBYR456_IfFi4gGPJT0wlvG7qRWRnFYtbf2qVkS2qYGS5ANYglmvqFIHAR6o5JqVhU8d9/pub
88.  
89. MALDOC DISTRIBUTION URLS
90. https://asianmedicaldevices.com/helper.php
91. https://asianmedicaldevices.com/oriental.php
92. https://asianmedicaldevices.com/sunstone.php
93. https://dev.triamanggala.com/fulmar.php
94. https://dev.triamanggala.com/smoother.php
95. https://espectaculos.empresasuv.mx/incise.php
96. https://hseconosur.com/student.php
97. https://hseconosur.com/transhipment.php
98. https://ieltsbritishcouncil.co/romanticize.php
99. https://ieltsbritishcouncil.co/steamed.php
100. https://loyalty.kkcoaches.co.ug/navigability.php
101. https://loyalty.kkcoaches.co.ug/osteologist.php
102. https://loyalty.kkcoaches.co.ug/quinbinary.php
103. https://loyalty.kkcoaches.co.ug/racist.php
104. https://metastudies.gr/croatian.php
105. https://metastudies.gr/dropper.php
106. https://operations.kkcoaches.co.ug/blinds.php
107. https://operations.kkcoaches.co.ug/honing.php
108. https://operations.kkcoaches.co.ug/paperless.php
109. https://sma1sapuran.sch.id/outgrowth.php
110.  
111. asianmedicaldevices.com
112. empresasuv.mx
113. hseconosur.com
114. ieltsbritishcouncil.co
115. kkcoaches.co.ug
116. metastudies.gr
117. sma1sapuran.sch.id
118. triamanggala.com
119.  
120. HANCITOR MALDOC FILE HASHES
121. 07ac3c85d62db7c650df8095aa693d0e
122. 364f80a5b16841597256388191a2981e
123. 6800a4b6c4f2f1bf98db25b2175ab1f9
124. 7bfa20649012bb4d7a38331cb1f1439d
125. 8e0ea61f2cf1c3b999f19184caffd82b
126. 914f4441e94cf5e2fcb1bed512ca9bc1
127. 94d5a498c40c795a24fc127db09e9806
128. c9374d2cce44359478c4f56d2f0d67e1
129. cefdb562f6972e78309b165b125f4055
130. ee654e3a199b6ddd2da0dd7ad854ed80
131. f98badc4dbe19eddac7464bca1933067
132. fc7fac4b8e77b228f967cd25c39476fa
133.  
134. HANCITOR PAYLOAD FILE HASH
135. MsMp.dll
136. 3737ff2818c3648a90028e695bd0ad31
137.  
138. HANCITOR C2
139. http://cametateleb.ru/8/forum.php
140. http://divelerevol.com/8/forum.php
141. http://polionallas.ru/8/forum.php
142.  
143. FICKER STEALER PAYLOAD URLS
144. http://tren0.ru/6jhuy675rt.exe
145.  
146. FICKER STEALER FILE HASH
147. 6jhuy675rt.exe
148. 77be0dd6570301acac3634801676b5d7
149.  
150. FICKER STEALER C2
151. http://sweyblidian.com