2021-03-29 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. HANCITOR BUILD
4. BUILD: 2903_21387h
5.  
6. SUBJECTS OBSERVED
7. You got invoice from DocuSign Electronic Service
8. You got invoice from DocuSign Electronic Signature Service
9. You got invoice from DocuSign Signature Service
10. You got notification from DocuSign Electronic Signature Service
11. You got notification from DocuSign Service
12. You got notification from DocuSign Signature Service
13. You received invoice from DocuSign Electronic Service
14. You received invoice from DocuSign Electronic Signature Service
15. You received invoice from DocuSign Service
16. You received notification from DocuSign Electronic Signature Service
17. You received notification from DocuSign Signature Service
18.  
19. SENDERS OBSERVED
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26. [email protected]
27. [email protected]
28. [email protected]
29. [email protected]
30. [email protected]
31. [email protected]
32. [email protected]
33. [email protected]
34. [email protected]
35. [email protected]
36. [email protected]
37. [email protected]
38. [email protected]
39. [email protected]
40. [email protected]
41. [email protected]
42. [email protected]
43.  
44. MALDOC LANDING PAGE URLS
45. https://docs.google.com/document/d/e/2PACX-1vQ1k5haNY3R3DYdn4KoE3WOWJ_0YbFYYpoI--8Pr__v-3trX-Sg4KOVXJSgLZKWP_Mr7gHOIEzun1e7/pub
46. https://docs.google.com/document/d/e/2PACX-1vQ1KAK7aaqzgKFJkCXrYTOcft-AFuS7LxQEYNTSklrAo-Hwxir8iAiD89s7t97UUFWZfajga79ntRaw/pub
47. https://docs.google.com/document/d/e/2PACX-1vQMw5Ox8cjE4orkyf060C6LjyHeUgoco7kI5NVedLK_QgPvJRgShjqMUXIosfmtLmjm41FwuAB5RHob/pub
48. https://docs.google.com/document/d/e/2PACX-1vQoG6vVOGpLgZyY5cggjzHNaGwqt-M4ysHkK5bVmn6NNSbisNeCUbhq2l_tXnY1cgDI5qFZT5FpUR22/pub
49. https://docs.google.com/document/d/e/2PACX-1vQwGz-YYSXW8Gy603rOoZXOCj4oza87GANBvZn-gW92UKzk0XZliyDizziOe7_W4XcyJ3ojyMssz5Li/pub
50. https://docs.google.com/document/d/e/2PACX-1vQWIIBWB8IVZvm-d80llrww4_pIQzGb_skH4fVirRfkUjC3hZc9I9b_yuS89dtSFx3mocsS47heNfiP/pub
51. https://docs.google.com/document/d/e/2PACX-1vRfclJ-5wm88C7kfUmrxIYAZyIc32NTQJZGwOpT4wNLsJjlH7TYL-AGhE98XVtT2EmKH6Z_J7BalRbI/pub
52. https://docs.google.com/document/d/e/2PACX-1vRM820mzzUiMnq8fNVUlj-Y0-qvmrdCsvnLNkgRQu1pMwzbAgmKTdpGqPf5RlR5Gq1-s1hiQVmcFa6Y/pub
53. https://docs.google.com/document/d/e/2PACX-1vRTsKwyv9_Mlv70s15f5OvEqWr8TjkYubswwcjxwv6BQ5d1mXDflfZ7P3N6ELIbFfY6Nbvhb48U4mZ-/pub
54. https://docs.google.com/document/d/e/2PACX-1vRtzzvX7R5nATANdr3E67WE-_UFTRzuxtBHNVfOI6ew6kLbOMQUDmWCiV4d1w7TsrchxhppYZ_D9WVv/pub
55. https://docs.google.com/document/d/e/2PACX-1vRudi0dfzvK6TV586FWkJo3UiuqXByg-sK2lHFwbuH7QLi7xgj9_aXY7qE7jJknJEE2DaC_KRgwIVvo/pub
56. https://docs.google.com/document/d/e/2PACX-1vS_1zHfjW9Z7PXSgGYu_t8BaBZ3Lo0EauSBjSe2e9vCqz2CATpIRoVVPCvQUJvUS4IrFVTanKV2ZpFJ/pub
57. https://docs.google.com/document/d/e/2PACX-1vSKSYNEgU5H8pcIXVLkyXTnM_GMy4KGj1rycaEJZlEDtGjzgc96ZdMgNDLYSG95wfJX5npjLcxXpOfW/pub
58. https://docs.google.com/document/d/e/2PACX-1vT2gTBGFNVb9Jer7vMQfiYVvlVCp18Q56Uf0wpU2oHDYxOyolZP8hR98XkqunQXfpKafWXO6scmEVGA/pub
59. https://docs.google.com/document/d/e/2PACX-1vT4cKVYcBgq7bhS4sRZy0uEhmmAGqdE4YRZAhbwii_mOVfPS3JJxIaK6BR72PdPAKGyjudYez34K4jI/pub
60. https://docs.google.com/document/d/e/2PACX-1vTOF0TUFykX588-rc_a7rHZ0r2G72MKHKX7MYjL4XKnQIDJqJYrNuemN2uYFH8mPZkiqbK-jtM0x25L/pub
61. https://docs.google.com/document/d/e/2PACX-1vTPOf_OxJTqxaPDirVmUIjwpWSADfGpdJCmTzyP2eksu3sa2YntM3T5Un1eYtjXzmnK2xd5oitPlaoJ/pub
62. https://docs.google.com/document/d/e/2PACX-1vTwUTDdPyAtmnrIB7S32qKVsw6QVuHrKB11vhKn1BMv-9FugDuMsJFbNfbtGap245LwMBhLlXBjjNfB/pub
63.  
64. MALDOC DISTRIBUTION URLS
65. http://necocheasexshop.com/reversibility.php
66. http://necocheasexshop.com/subnormality.php
67. http://razwerks.com/crier.php
68. http://razwerks.com/epicurean.php
69. http://tlfthelifefactory.com.au/aquiculture.php
70. http://tlfthelifefactory.com.au/cyanosis.php
71. http://tlfthelifefactory.com.au/explored.php
72. http://tlfthelifefactory.com.au/wizened.php
73. https://demas.tech/arraigned.php
74. https://demas.tech/bleeder.php
75. https://demas.tech/defecated.php
76. https://demas.tech/goldfish.php
77. https://emiratesminning.com/ext.php
78. https://record-israel.co.il/prothalamion.php
79. https://uniquewebservice.com/shovelsful.php
80. https://www.oacts.com/forehand.php
81. https://www.razwerks.com/maxim.php
82. https://www.razwerks.com/workaholism.php
83.  
84. demas.tech
85. emiratesminning.com
86. necocheasexshop.com
87. razwerks.com
88. record-israel.co.il
89. tlfthelifefactory.com.au
90. uniquewebservice.com
91. oacts.com
92.  
93. HANCITOR MALDOC FILE HASHES
94. 2c9a441be8cfb3aad3e11e0dead70f90
95. 8368ff71e252a7f4f9cca096f960c372
96. 8e14056b96b9707d4ecde884fcb8a48b
97. 9421fadb1a0deea4af0d039df07602d9
98. 94b64acb4498129f3551f48c8aad4ec4
99. 9c6bdac4a903bc77f49e33ab6eecd6e9
100. c1f0517a9df9cbcfdb9bfc61c02b44e0
101. c87c6d11cd68e5090f4346daaaa88131
102. cd23383155515a64ac8329129bf4ec1d
103.  
104. HANCITOR PAYLOAD FILE HASH
105. Static.dll
106. e85bb81c96515538f804ef7230bb47a6
107.  
108. HANCITOR C2
109. http://probassita.com/8/forum.php
110. http://frobenalini.ru/8/forum.php
111. http://proubleblecilm.ru/8/forum.php
112.  
113. FICKER STEALER PAYLOAD URLS
114. http://clublifes.ru/6jiuu8934u.exe
115.  
116. FICKER STEALER FILE HASH
117. 6jiuu8934u.exe
118. 77be0dd6570301acac3634801676b5d7
119.  
120. FICKER STEALER C2
121. http://sweyblidian.com