2021-04-01 Hancitor IOCs

1. THREAT IDENTIFICATION: HANCITOR
2.  
3. SUBJECTS OBSERVED
4. You got invoice from DocuSign Electronic Service
5. You got invoice from DocuSign Electronic Signature Service
6. You got invoice from DocuSign Service
7. You got invoice from DocuSign Signature Service
8. You received invoice from DocuSign Electronic Service
9. You received invoice from DocuSign Service
10. You received notification from DocuSign Electronic Signature Service
11. You received notification from DocuSign Signature Service
12.  
13. SENDERS OBSERVED
14. [email protected]
15. [email protected]
16. [email protected]
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22.  
23. MALDOC LANDING PAGE URLS
24. https://docs.google.com/document/d/e/2PACX-1vQ2ppWe--iSJ3VEepl33K3vEYx0gXf_Vkz3idvlRX-ldhzzIvZmDQtJk9yfG-UWU57uTVYnRhpq79mr/pub
25. https://docs.google.com/document/d/e/2PACX-1vQq9436z3PaO3ndtW5pGcIm1YikMciJe3N_ubr_syEz4aAvni4vErDDVYfKzsjhUI-GebIn__P15VhJ/pub
26. https://docs.google.com/document/d/e/2PACX-1vRK7cgPdCcaipphRW5W-cpwwdg0zjbdGPE7G5movv0OjLBdlHsvIB5gpvew1hRfk8nw4Ny3zr_akv1G/pub
27. https://docs.google.com/document/d/e/2PACX-1vSAFHJAKO7WKmMnN7jvLOmTtWe8gM2SxQ9z4geBfdSb7hlCU95JVd_-rg2qnS-_qu0StKoK_PJrAfII/pub
28. https://docs.google.com/document/d/e/2PACX-1vScYVQddX7qBiZz6jcwdQnj-ID10gVbO_ZPv4Gie_zjo13YbWOvFueYiYouEQ-W2GhU5L9Ig2ZUFhPa/pub
29. https://docs.google.com/document/d/e/2PACX-1vSD-I9R60TDGfvJ4K7sTLZF1h2h1vV0xUYh4QCCRlVzMc1yHTakTW4ulE4DNjDH-LoB8kweitIJVlrP/pub
30. https://docs.google.com/document/d/e/2PACX-1vSTw3jgBO8aOSTzwKQectTvkOpITY5drKQIMY_pHUhRpMdvpWs_APbxXDXaMEiuhLUrSdC-1r6_8-NJ/pub
31. https://docs.google.com/document/d/e/2PACX-1vTHkVlb-r3k5ObTZZ_wW1Y2lq9TQbE-0aC-tEmmUv6i6hWBN1u8m6XH7iDnV2C0sV2KtWIPcMHUkgEw/pub
32.  
33. MALDOC DISTRIBUTION URLS
34. http://tlfthelifefactory.com.au/foxglove.php
35. https://iriti.net/crap.php
36. https://iriti.net/newuser.php
37. https://koonol.mx/yestereve.php
38. https://loyalty.kkcoaches.co.ug/prosperous.php
39. https://pharmaciebougieba.org/stypsis.php
40. https://silverwhipmedia.com/ethernet.php
41. https://silverwhipmedia.com/phonorecord.php
42.  
43. iriti.net
44. koonol.mx
45. loyalty.kkcoaches.co.ug
46. pharmaciebougieba.org
47. silverwhipmedia.com
48. tlfthelifefactory.com.au
49.  
50. HANCITOR MALDOC FILE HASHES
51. Unknown
52.  
53. HANCITOR PAYLOAD FILE HASH
54. Unknown
55.  
56. HANCITOR C2
57. http://cilidobas.com/8/forum.php
58. http://onvoursmo.ru/8/forum.php
59. http://bilematicdu.ru/8/forum.php
60.  
61. FICKER STEALER PAYLOAD URLS
62. http://pipopetfiu.ru/6gdj9oidfg.exe
63.  
64. FICKER STEALER FILE HASH
65. Unknown
66.  
67. FICKER STEALER C2
68. http://sweyblidian.com