2021-02-03 Hancitor IOCs

1. THREAT ATTRIBUTION: HANCITOR
2.  
3. HANCITOR BUILD
4. Build: 0302_095463
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Signature Service
8. You got invoice from DocuSign Signature Service
9. You received notification from DocuSign Service
10.  
11. SENDERS OBSERVED
12. [email protected]
13. [email protected]
14. [email protected]
15.  
16. MALDOC LANDING PAGES
17. https://docs.google.com/document/d/e/2PACX-1vRJcCxmq6V91L1_nGEv44Upt3uhU_BwVsF7bTLTtxPbc7gm24NNiK1l0CLKMriwfQGHzHMH1q-qm39K/pub
18. https://docs.google.com/document/d/e/2PACX-1vTb8bBuckRwz8JXbAIvNfZjJdMv1O-Q3QimNmsHnwtXbcTkCEmhTS6drFarFXB4o20ElpwePCQ-OQg2/pub
19. https://docs.google.com/document/d/e/2PACX-1vTD5YthhcE0t9iRn0SQi1ZU3TPVT_73SzYC-zKuFqLONsz9RB6LXlfqplElZXUpq-QosggzFSNN-eRo/pub
20.  
21. MALDOC DOWNLOAD URLS
22. http://ajlpublicidade.pt/synthesist.php
23. http://www.serve-tour.com/undocumented.php
24. https://btcclique.com/subornation.php
25.  
26. ajlpublicidade.pt
27. btcclique.com
28. serve-tour.com
29.  
30. MALDOC FILE HASHES
31. a87349c5e2fe7ef31cad560eb767b7ba
32. cf9abed05058d19d188f50c0f1d495e4
33.  
34. HANCITOR PAYLOAD FILE HASHES
35. W0rd.dll
36. faba140b4629acca24726fc44facaf58
37.  
38. HANCITOR C2
39. http://efelsdvismade.com/8/forum.php
40. http://curishisral.ru/8/forum.php
41.  
42. FICKER STEALER PAYLOAD
43. http://buckeyesecurity.net/6lajhbjyuk.exe
44.  
45. FICKER STEALER FILE HASHES
46. 77be0dd6570301acac3634801676b5d7
47.  
48. FICKER STEALER C2
49. http://sweyblidian.com
50. http://185.100.65.29
51.