Advertisement
ExecuteMalware

2021-07-15 Hancitor IOCs

Jul 15th, 2021
11,562
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.38 KB | None | 0 0
  1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
  2.  
  3. HANCITOR BUILD NUMBER
  4. BUILD=1507_pewut
  5.  
  6. SUBJECTS OBSERVED
  7. You got invoice from DocuSign Electronic Service
  8. You got invoice from DocuSign Electronic Signature Service
  9. You got invoice from DocuSign Service
  10. You got invoice from DocuSign Signature Service
  11. You got notification from DocuSign Electronic Signature Service
  12. You got notification from DocuSign Service
  13. You got notification from DocuSign Signature Service
  14. You received invoice from DocuSign Electronic Service
  15. You received invoice from DocuSign Electronic Signature Service
  16. You received invoice from DocuSign Service
  17. You received notification from DocuSign Electronic Service
  18. You received notification from DocuSign Electronic Signature Service
  19. You received notification from DocuSign Signature Service
  20.  
  21. SENDERS OBSERVED
  22. b@demiurgedesigns.com
  23. bee@demiurgedesigns.com
  24. bxyean@demiurgedesigns.com
  25. elawvau@demiurgedesigns.com
  26. gooyuaz@demiurgedesigns.com
  27. jun@demiurgedesigns.com
  28. jvjeql@demiurgedesigns.com
  29. katu@demiurgedesigns.com
  30. lebh@demiurgedesigns.com
  31. lywua@demiurgedesigns.com
  32. mjaaq@demiurgedesigns.com
  33. oiu@demiurgedesigns.com
  34. puoyyk@demiurgedesigns.com
  35. q@demiurgedesigns.com
  36. qate@demiurgedesigns.com
  37. qezkuy@demiurgedesigns.com
  38. smoea@demiurgedesigns.com
  39. sruetmw@demiurgedesigns.com
  40. tuquza@demiurgedesigns.com
  41. veman@demiurgedesigns.com
  42. vrzx@demiurgedesigns.com
  43. wyyjync@demiurgedesigns.com
  44. xciyez@demiurgedesigns.com
  45. ybfhj@demiurgedesigns.com
  46. yuuludw@demiurgedesigns.com
  47. zo@demiurgedesigns.com
  48.  
  49. MALDOC PROXY DISTRIBUTION URLS
  50. http://feedproxy.google.com/~r/aekrtojfcd/~3/kMNi_-9P1sU/introduce.php
  51. http://feedproxy.google.com/~r/bdaxd/~3/Vc1NSC7_7Wc/unisource.php
  52. http://feedproxy.google.com/~r/bjpisoxgv/~3/HzQEp8BQpI4/pharmaceuticals.php
  53. http://feedproxy.google.com/~r/cgktoiwlax/~3/j0uF0n9HAdU/receivership.php
  54. http://feedproxy.google.com/~r/clvaf/~3/NO98PqeZz-w/pane.php
  55. http://feedproxy.google.com/~r/elqwhhdtauz/~3/QpCvcTYXgOI/fortnight.php
  56. http://feedproxy.google.com/~r/ezhaqoq/~3/be9zOM2iv8g/thorough.php
  57. http://feedproxy.google.com/~r/fklxcoe/~3/HqRsrS_nxLU/naturalizing.php
  58. http://feedproxy.google.com/~r/frzarg/~3/YSQQjrihlZA/lactic.php
  59. http://feedproxy.google.com/~r/gyxkllszgmf/~3/g7FqjNMRJq4/carnegie.php
  60. http://feedproxy.google.com/~r/ivqbcgklu/~3/jwsjbopWaXo/waxworks.php
  61. http://feedproxy.google.com/~r/ksljgoqkwv/~3/VlDidoofuFw/lobe.php
  62. http://feedproxy.google.com/~r/ltieizomh/~3/nzcJaDcX_3Q/correspondent.php
  63. http://feedproxy.google.com/~r/magwrhwgy/~3/w0Y5L_P4STE/sipped.php
  64. http://feedproxy.google.com/~r/maqcxppuz/~3/Vc1NSC7_7Wc/unisource.php
  65. http://feedproxy.google.com/~r/nkbvef/~3/CeWFvhRpxGA/aglitter.php
  66. http://feedproxy.google.com/~r/ruxaznasy/~3/n0mldUWiNaU/pui%0D%0Assant.php
  67. http://feedproxy.google.com/~r/ruxaznasy/~3/n0mldUWiNaU/puissant.php
  68. http://feedproxy.google.com/~r/ruxaznasy/~3/n0mldUWiNaU/puissant.php
  69. http://feedproxy.google.com/~r/sqbruikykmh/~3/lS7Jtn6bvzE/brothel.php
  70. http://feedproxy.google.com/~r/vqhflr/~3/-uViJ-4Pz78/various.php
  71. http://feedproxy.google.com/~r/wbpbdalxrsy/~3/YQ0u_MZTZgg/shillelagh.php
  72. http://feedproxy.google.com/~r/wingwiycgs/~3/Hc9qJRjavwk/fief.php
  73. http://feedproxy.google.com/~r/xmyldqmxd/~3/-%0D%0A3WQXaHy40w/provolone.php
  74. http://feedproxy.google.com/~r/xmyldqmxd/~3/-3WQXaHy40w/provolone.php
  75. http://feedproxy.google.com/~r/xtqdswjxyw/~3/J7cagM7UsC8/dimness.php
  76. http://feedproxy.google.com/~r/yvwyahw/~3/vfwhsfrWNcQ/washrag.php
  77. http://feedproxy.google.com/~r/zkqnrxfdt/~3/xiLSi0AclGg/questionability.php
  78.  
  79. MALDOC REDIRECT DOWNLOAD URLS
  80. Unavailable
  81.  
  82. MALDOC FILE HASHES
  83. 0715_522785908988.doc
  84. b2a7e405503858e1e6f8ec093e50d8e5
  85.  
  86. HANCITOR PAYLOAD FILE HASH
  87. ier.dll
  88. 2dc334887c1180331aca5fe3316adbe9
  89.  
  90. HANCITOR C2
  91. http://accomead.ru/8/forum.php
  92. http://dialencelu.ru/8/forum.php
  93. http://gatiallyde.com/8/forum.php
  94.  
  95. FICKER STEALER DOWNLOAD URL
  96. http://min0sra.ru/7t4dfgnmkk7.exe
  97.  
  98. FICKER STEALER FILE HASH
  99. 7t4dfgnmkk7.exe
  100. 270c3859591599642bd15167765246e3
  101.  
  102. FICKER STEALER C2
  103. http://pospvisis.com
  104.  
  105. COBALT STRIKE STAGER DOWNLOAD URLS
  106. http://min0sra.ru/1407.bin
  107. http://min0sra.ru/1407s.bin
  108.  
  109. COBALT STRIKE STAGER FILE HASHES
  110. 1407.bin
  111. ee8283d406475b5015fe3faca2896b2d
  112.  
  113. 1407s.bin
  114. 80c225a95caba77a72289472c73291df
  115.  
  116. COBALT STRIKE BEACON DOWNLOAD URL
  117. http://207.148.23.64/Rcn9
  118.  
  119. COBALT STRIKE BEACON FILE HASH
  120. Rcn9
  121. 2ce9fd855d3fd4316c7d46d28d183c16
  122.  
  123. COBALT STRIKE C2
  124. Unavailable
  125.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement