Hancitor Jan 23

1. "New incoming eFax document from 1-888-<digits>"
2. https://www.hybrid-analysis.com/sample/6dcbf652b96a7aea16d0c2e72186173d9345f722c9592e62820bcfe477b2b297?environmentId=100
3.  
4. dl domains
5. http://tabrs.com
6. http://boxerproperties.org
7. http://boxerproperties.biz
8. http://classiccaladiums.org
9.  
10. thanks to @social_amit for additional domain
11. http://boxerproperties.us
12.  
13. hancitor exe download
14. http://ofthi.com/1
15.  
16. hancitor c2
17. http://littarhapone.com/ls5/forum.php
18.  
19. payload links
20. http://goodgroupllc.com/modules/media_entity/1
21. http://goodgroupllc.com/modules/media_entity/2
22. http://goodgroupllc.com/modules/media_entity/3
23. http://helloyou.se/wp-content/plugins/pixcodes/1
24. http://helloyou.se/wp-content/plugins/pixcodes/2
25. http://helloyou.se/wp-content/plugins/pixcodes/3
26. http://impressocoffee.com.au/wp-content/plugins/dynamic-featured-image/1
27. http://impressocoffee.com.au/wp-content/plugins/dynamic-featured-image/2
28. http://impressocoffee.com.au/wp-content/plugins/dynamic-featured-image/3
29. http://outandaboutpublications.com.au/1
30. http://outandaboutpublications.com.au/2
31. http://outandaboutpublications.com.au/3
32. http://www.boltboxmarketing.com/wp-content/plugins/js_composer/config/1
33. http://www.boltboxmarketing.com/wp-content/plugins/js_composer/config/2
34. http://www.boltboxmarketing.com/wp-content/plugins/js_composer/config/3
35.  
36. pony c2
37. http://littarhapone.com/mlu/forum.php
38.  
39. evilpony c2
40. http://littarhapone.com/d2/about.php
41.  
42. per @malware_traffic pandabanker c2/dl domain
43. suptalefthed.ru
44.  
45. and pandabanker links
46. https://suptalefthed.ru/1paylseaffiuwosylygcy.dat
47. https://suptalefthed.ru/61webinjects.dat
48. https://suptalefthed.ru/1paylseaffiuwosylygcy.exe
49. https://suptalefthed.ru/61webinject32.bin
50. https://suptalefthed.ru/61grabber.bin
51. https://suptalefthed.ru/61vnc32.bin
52. https://suptalefthed.ru/61backsocks.bin
53. https://suptalefthed.ru/61keylogger.bin